Practice Guides

Practice Guides
Table of Contents
Supplemental Guidance
Practice Guides
Assessing Organizational Governance in the Private Sector
Assessing the Adequacy of Risk Management Using ISO 31000
Assisting Small Internal Audit Activities in Implementing the International Standards for the Professional
Practice of Internal Auditing
Audit Reports: Communicating Assurance Results
Auditing Anti-bribery and Anti-corruption Programs
Auditing Executive Compensation and Benefits
Auditing External Business Relationships
Auditing Privacy Risks, 2nd Edition
Auditing the Control Environment
Business Continuity Management
Chief Audit Executives—Appointment, Performance, Evaluation, and Termination
Coordinating Risk Management and Assurance
Developing the Internal Audit Strategic Plan
Evaluating Corporate Social Responsibility/Sustainable Development
Evaluating Ethics-related Programs and Activities
Formulating and Expressing Internal Audit Opinions
Independence and Objectivity
Integrated Auditing
Interaction with the Board
Internal Audit and the Second Line of Defense
Internal Auditing and Fraud
Measuring Internal Audit Effectiveness and Efficiency
Quality Assurance and Improvement Program
Reliance by Internal Audit on Other Assurance Providers
Selecting, Using, and Creating Maturity Models: A Tool for Assurance and Consulting Engagements
Talent Management
Practice Guides—Public Sector

Assessing Organizational Governance in the Public Sector
Creating an Internal Audit Competency Process for the Public Sector
– Practice Guide
Assessing Organizational
Governance in
the Private Sector
July 2012
IPPF – Practice Guide
Table of Contents
Executive Summary......................................................................................... 1
Introduction.................................................................................................... 2
Understanding the Context of and

Defining Organizational Governance................................................................ 3
The Role of Internal Audit in Providing

Assurance and Consulting Services................................................................ 4
Identifying and Analyzing Relevant Governance

Processes/Practices and the Assessment Criteria to Use............................... 4
Developing the Periodic Plan for Auditing Governance..................................... 7
Planning and Completing Governance Engagements..................................... 10
Considerations by Specific Governance Activity............................................ 17
Appendix — Board Risks, Control Objectives, Pratices................................. 22
Authors and Reviewers................................................................................. 26
www.globaliia.org/standards-guidance
Executive Summary The Role of Internal Audit in Providing Assur-

ance and Consulting Services
In today’s political and business environment, there is The internal audit charter should state that the scope
increasing focus on governance, risk management, and of work includes all governance activities and process-
control. Strong governance systems are needed to better es. This does not mean, however, that internal audi-
ensure that organizations will meet their objectives and tors are required to perform audits of all governance
stakeholder expectations. Stakeholders expect boards1 activities and processes. There are several roles inter-
and management to accept responsibility and implement nal audit can play in assessing and contributing to the
appropriate governance practices. The board is the focal improvement of organizational governance practices.
point for governance practices and in fulfilling its over- Although internal audit can play various roles, this
sight responsibilities will look to the internal audit activity Practice Guide deals only with providing formal as-
to provide it with assessments on the organization’s gov- sessments of organizational governance.
ernance practices. This Practice Guide provides the chief
audit executive (CAE) specifically in the private sector Identifying and Analyzing Relevant Governance
with direction on how to assess and make appropriate rec- Processes/Practices and the Assessment Criteria
ommendations for improving governance processes. to Use
There is no “one size fits all” governance model.
This Practice Guide includes the following sections and
Governance structures and practices should be in-
an appendix:
dividually tailored to the organization. There may be
legal and regulatory requirements, mandatory and
Understanding the Context of and Defining
optional practices prescribed by country governance
Organizational Governance
codes, various organizations promoting governance
Organizational governance involves the set of relation- principles, and practices common to the environ-
ships among the organization’s stakeholders, board, ments that the organization and its peers operate in.
and organizational management. Guidance on IT governance is provided because of
the reliance most organizations place on IT and the
There are a number of authoritative definitions put pervasive governance practices that should span the
forth by professional groups, regulators, academia, technology spectrum.
et al. These definitions are all very similar. The one
used in this practice guide comes from The Institute Developing the Periodic Plan for Auditing
of Internal Auditors’ International Standards for the Governance
Professional Practice of Internal Auditing (Standards).
The range of activities, depth of review, and time peri-
Regardless of the governance definition used, there
od to include in the assessment should be established
are common themes that are included in this section.
and agreed on with the board. All governance activi-
ties, both board and nonboard, should be considered.
1
The term board is used in this guidance as defined in the Standards glossary: “A board is an organization’s governing body, such as a board of directors, supervisory board, head of an
1
agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee to whom the
chief audit executive may functionally report.”
www.globaliia.org/standards-guidance / 1
In the process of setting the scope, the CAE will as- On behalf of the organization’s key stakeholders, the
sess the relative risk of governance processes, evalu- board is the focal point for ensuring effective gover-
ate the audit approach — assurance vs. consulting — nance. The board faces risks to achieving effective
and identify the various stakeholder expectations in governance. However, there are a number of practices
setting the assessment objectives. that when implemented effectively will mitigate the
risks they face.
In developing a periodic program of governance
audits, CAEs will need to consider how many audits
to do and how governance assessments are woven into
Introduction
nongovernance-specific audits, a reliance that may be The internal audit activity helps an organization achieve
placed on other organization functions, external audit, its objectives by bringing a systematic and disciplined
and governance over IT. approach to evaluating and improving the effectiveness
of governance, risk management, and control processes.
Planning and Completing the Governance This practice guide discusses important areas for consid-
Engagements eration in assessing the organization’s governance prac-
Individual engagements flow from the annual program tices. By their very nature, practice guides provide infor-
of audits. At the engagement level, staffing the proj- mation on how to conduct internal audit activities. This
ect with the right skills competencies and experience Practice Guide should be used in conjunction with the
is critical. Because many organizations are subject to Standards and practice advisories in the International Pro-
regulations addressing required governance practices, fessional Practices Framework (IPPF), specifically Stan-
the CAE should forge a strong working relationship dard 2110: Governance and Practice Advisories, 2110.1:
with and involve the organization’s general counsel Governance: Definition; 2110.2: Governance: Relation-
(internal or external). ship with Risk and Control; and 2110.3: Governance:
Assessments. In addition, due to the relationships
Considerations by Specific Governance Activity between governance, risk management, and control, the
Standards addressing those specific governance activities
With the variety of organizational operating environ-
(Standard 2120: Risk Management and Standard 2130:
ments globally, this Practice Guide provides aspects
Control), along with supporting practice advisories and
of important governance processes the internal audi-
practice guides, should be referenced.
tor in the private sector should consider while devel-
oping his/her audit program(s). There is specific guid-
The type of organization, its size, complexity, and
ance to consider in facilitating board assessments and
geographic location(s) will drive the shape of the gover-
evaluating the organization’s strategy process, ethical
nance requirements and practices. For that reason, this
environment, risk management process, compliance
Practice Guide will provide guidance on how to assess
function, monitoring activities, and IT governance.
organizational governance in the private sector. This
Practice Guide will not provide a framework or audit
Appendix — Board Activities/Processes
program, as those are best designed specifically for the
and Risks
organization in the environment in which it operates.
The overall objective of organizational governance is
to inform, direct, manage, and monitor an organiza- The organization’s board has responsibility for the gover-
tion’s activities toward achievement of its objectives. nance system. The CEO owns the governance processes
2 / www.globaliia.org/standards-guidance
within the organization (non-board processes). Many gov- fines governance as “the system by which companies are
ernance practices are performed by the board and execu- directed and managed. It influences how the objectives
tive management, which makes assessment a sensitive of the company are set and achieved, how risk is moni-
matter. An effective internal audit activity that is inde- tored and assessed, and how performance is optimized.”
pendent, objective, and capable, uses sound assurance In most instances, there is an indication that governance
processes and practices, and conforms to the Standards is a process or system and is not static. What distinguishes
is qualified to audit the governance process and provide the approach in the Standards is the specific emphasis on
assurance to the board and management on governance the board and its governance activities.
effectiveness.
The frameworks and requirements for governance vary ac-
1.0 Understanding the Context of and cording to organization type and regulatory jurisdictions.
Defining Organizational Governance Examples include publicly traded companies, not-for-
Organizational governance involves the set of relation- profit organizations, associations, government or quasi-
ships among the organization’s stakeholders, board, and government entities, agencies, academic institutions, pri-
organization management. These relationships are framed vate companies, commissions, and stock exchanges.
by rules and requirements and provide the structure
through which the objectives of the organization are set, The board is the focal point for effective organizational
the strategies to achieve those objectives are defined, op- governance. It is the link between the stakeholders and
erating plans are prepared, performance is monitored, and the organization’s executive management. To be effec-
information is communicated transparently among the tive, the board should be independent, engaged, and
parties. committed. The board bears primary responsibility for
the governance of its organization. The board establishes,
The term governance has a range of definitions depending maintains, and monitors standards and policies for ethics,
on a variety of environmental, structural, and cultural cir- business practices, and compliance that span the organi-
cumstances and legal frameworks. The Standards define zation. The board directs and provides oversight of the ex-
governance as: “The combination of processes and struc- ecutive leader and senior management in setting strategic
tures implemented by the board to inform, direct, man- objectives, establishing appropriate risk levels, instituting
age, and monitor the activities of the organization toward effective control systems, tracking performance, and pro-
the achievement of its objectives.” viding transparent, complete, clear, and timely communi-
cation to stakeholders.
Globally, there are a variety of governance models that
have been published by other organizations, including le- Other board responsibilities include setting the organi-
gal and regulatory bodies. For example, the Organisation zation’s strategic objectives and providing the leadership
for Economic Co-operation and Development (OECD) to put them into effect, supervising the management of
defines governance as “a set of relationships between a the business, and reporting to the stockholders on their
company’s management, its board, its shareholders, and stewardship. The board’s actions are subject to laws, reg-
other stakeholders. Corporate governance provides the ulations, and the needs of the stakeholders. The board
structure through which the objectives of the company typically delegates significant authority for the day-to-day
are set and the means of attaining those objectives and operations to an executive leader (CEO) and his/her ex-
monitoring performance are determined.” The Australian ecutive officer team.
Securities Exchange Corporate Governance Council de-
The organization’s executive leadership and senior man- • Act as facilitators, assisting the board in self-assess-
agement are accountable to the board. The CEO is ul- ments of governance practices.
timately responsible for implementing the organization’s • Observe and formally assess governance, risk, and
governance system. The CEO sets the “tone at the top” control structural design and operational effective-
for the integrity, ethics, and conduct that will contribute ness while not being directly responsible, if posi-
to an effective governance environment. He/she imparts tioned properly within the organization and staffed
this tone to his/her executive leadership team, which in with capable professionals.
turn cascades organizationwide. The CEO and executive
management should do more than just “talk the talk.” The appropriate role for internal audit and the resource
They are on the organization’s stage and should “walk commitment to each of these approaches will depend
the walk” to ensure that a positive governance culture largely on the maturity of the organization’s governance
exists throughout the enterprise. In addition, executive structures and the organization’s size and complexity. The
leadership and senior management should ensure that CAE should discuss and reach an agreement with the
governance policies, procedures, and programs exist board on internal audit’s role in assessing organizational
and are followed, and that there is compliance with the governance.
appropriate laws, regulations, and codes.
Although internal audit can play various roles, this Prac-
The starting point for internal audit in providing assurance tice Guide deals only with providing formal assessments
is to gain an understanding of the context within which its of organizational governance. The various ways to assess
organization operates, identify the key stakeholders and their organizational governance are discussed in Section 4,
requirements, and determine how the organization defines Developing the Periodic Plan for Auditing Governance.
governance. The CAE should work with the board and the Recognizing that there could be sensitivities to assess-
executive management team, as appropriate, to determine ing and reporting on some board- and executive-level
how governance should be defined for audit purposes. governance activities, board-level sponsorship for the
assessments should be obtained as part of this periodic
2.0 The Role of Internal Audit in Providing audit planning process.
Assurance and Consulting Services
3.0 Identifying and Analyzing Relevant
The internal audit charter should state that the scope of Governance Processes/Practices and the
work includes all governance activities and processes. Assessment Criteria to Use
This does not mean, however, that internal auditors are
required to perform audits of all governance activities and The next phase in providing formal assessments of organi-
processes. There are a number of roles internal audit can zational governance is to identify all relevant governance
play in assessing and contributing to the improvement of processes/practices. This is followed by reviewing the pro-
organizational governance practices. cesses to identify process objectives and related risks. The
next step in this phase is to establish assessment criteria
• Provide advice on ways to improve the organization’s and, finally, validate the understanding obtained with the
governance practices if they are not mature. board and organization’s executive management. As you
perform these steps, you may find that the governance
• Contribute to the organization’s governance structure process documentation is not adequate. If this condition
through internal audits, even if not focused on gover- exists, it should be reported to the board as an initial op-
nance as an audit topic. portunity to strengthen governance practices.
3.1 Sources for Governance Processes/Practices These are, in effect, a contract among members, and
Governance practices should be tailored to comply with should be formally adopted and/or amended. The bylaws
mandatory requirements and best fit the organization’s should be reviewed regularly.
risk profile.
Generally speaking, an organizational governance code is
The legal jurisdictions in which the organization operates a set of principles, standards, and/or preferred practices
promulgate those laws and regulations deemed to be in that are promulgated by an influential body relating to
the best interest of good governance. These tend to form governance of the organization. These codes can be man-
the minimum requirements. Examples are the U.S. For- datory, strongly recommended, or optional. Some codes
eign Corrupt Practices Act (FCPA), Security Laws, and are linked to stock exchange listing requirements.
the U.S. Sarbanes–Oxley Act of 2002; Ontario, Canada,
Bill 198; Canada’s Competitions Act; the German Corpo- The OECD2 has published a set of governance principles
rate Governance Code; the Australian Corporate Report- that while non-binding provide common elements of good
ing and Disclosure Law – CLERP9; France’s Financial governance practices and guidance on implementation.
Security Law; Italy’s L262/2005; South Africa’s Compa- The principles tend to focus on publicly traded corpora-
nies Act 2008; and South Africa’s King III Report. tions but are useful in comparing and improving gover-
nance practices in any organization.
The legal and regulatory requirements that apply to your
organization should be used in conjunction with appli- Other sources useful in identifying governance practices
cable requirements stemming from self-regulated organi- include the customs, behaviors, and stakeholder expecta-
zations (SRO). An SRO is an organization having certain tions that exist in the organization’s operating environment.
limited regulatory authority over its members. It can be a
3.2 Review the Documented Governance Processes
market mechanism or industry or profession specific. One
of the largest global types of SROs is a stock exchange. Concurrent with identifying the governance requirements
Stock exchanges include in their regulations specific gov- from Section 3.1, internal audit should obtain and review
ernance practices that listed companies should adhere to. the governance documentation that exists. Keeping in
There are more than 50 major stock exchanges. mind that there is no “one-size-fits-all” governance frame-
work or model, the actual governance processes and ac-
The Articles of Association, or similar documents (e.g., tivities will vary. By design, the organization’s governance
Acts and Regulations for some government organizations), processes should respond to the requirements identified
establish and define the purpose of the organization. By- in the preceding section.
laws, policies, or operating agreements also may be cre-
ated. The latter are rules for conduct of the organization. To further ensure that all governance processes and
They are the “game plan” on how the organization is to be activities have been considered, the following is provided
run and operated. Bylaws, policies, and operating agree- as a generic yet comprehensive list of governance pro-
ments also set out the rights and powers of the stakehold- cesses that should be evident in the organization’s formal
ers, board members, and officers within the organization. and informal governance practices. Governance practices
OECD Countries:
2
Australia, Austria, Belgium, Canada, Chile, The Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Korea, Luxembourg, Mexico,
Netherlands, New Zealand, Norway, Poland, Portugal, The Slovak Republic, Slovenia, Spain, Sweden, Switzerland, Turkey, the United Kingdom, and the United States. The Council
of the European Commission also takes part in the work of OECD.
are grouped at the board level and within the organization – Reviewing and approving major changes in ac-
(non-board). Together, they form the governance umbrella counting and auditing principles and practices.
over the organization’s operations. – Declaring dividends and approving share repur-
chase programs.
Board Governance Practices
– Resolving cross-organizational issues.
• Board and committee structure, charters, roles and
responsibilities, processes, and reporting. Organization Governance Practices
• Board and committee activities — calendars, meet- • Setting objectives.
ing agendas, meeting papers, minutes and reports of • Developing strategies, operating plans and bud-
meetings, follow-up actions, and self-assessments of gets, organizational structures, and management
board and committee governance practices. committees.
• Board composition, including selection, induction, • Assignment of authority and responsibilities organi-
ongoing education and training, remuneration, and zation-wide.
protection of board members.
• Defining behaviors, codes of ethics, and conduct
• Board and committee oversight including objective including conflict of interest, fair dealing, protection
setting, strategies, structures, operating plans and and proper use of assets, insider dealings, violation
budgets, capital acquisition and allocation, CEO, reporting (hot lines), and disciplinary actions.
enterprise risk management (ERM), ethics and
• ERM to include internal control, fraud risk manage-
integrity, delegated authorities, performance mea-
ment, and IT governance.
surement and results, compensation and rewards,
policies and procedures, compliance, decision • Compliance with laws, regulations, and codes both
making, stakeholder communication such as mandatory and optional where adopted.
financial reporting and disclosures, reputation, • Monitoring and performance measurement.
unpredictable events, and other organizational • Ensuring effectiveness of assurance providers within
governance practices. the organization (particularly operational manage-
• Assurance practices, including external financial, ment that serves as the first line of defense for a
regulatory, and internal audit. sound system of internal controls and enterprise-
• Additional practices generally retained by the board, wide activities like risk management and compliance
which may include: that serve as a second line of defense).
– Selecting, monitoring, evaluating, compensating, • Communication up, down, and across the organization.
and retaining the CEO and other key members of • Processes that ensure effective communication with
senior management. shareholders and stakeholders.
– Providing strategic guidance to the CEO and • Capital acquisition and allocation.
senior management. • Capabilities — people selection, development, reten-
– Reviewing and approving objectives and impor- tion, and succession planning.
tant organizational plans and actions. • Transformational transactions.
– Making decisions on major transactions (trans- • Cross-organization issues.
formational transactions) before submission to
• Organization responsibility and sustainability.
stakeholders for approval.
• Evaluation and rewards, both salary and incentive others. Use of maturity models also provides a good facili-
compensation. ty for tracking improvement progress. The maturity model
• Organizational processes for assessing performance will provide the methodology for establishing the criteria
and independence of external auditors, including the needed to provide relevant and reliable information on the
nature and extent of non-audit services obtained. existing governance process effectiveness. In addition, it
can be used for benchmarking practices that the board
Internal audit is itself a key governance activity. Its ef- would expect to have as a minimum acceptable level.
fectiveness in providing assurance to stakeholders is criti-
cal to effective governance. The board should look to the 3.4 Validate Understanding and Agree on the
CAE for periodic reports on the internal audit activity’s Assessment Criteria
quality assurance and improvement program and ensure
The board and board-level committees have responsibility
that the program provides for an independent assessment
for board-level governance practices and oversight respon-
at least every five years as per Standard 1312: External
sibility for the governance practices within the organiza-
Assesments. The CAE should ensure that the reports of
tion. The CEO has overall responsibility for governance
independent assessors are provided to the board. In addi-
practices within the organization and may delegate certain
tion, the board will draw its own conclusions on the ef-
governance responsibilities to others in the organization.
fectiveness of the internal audit activity.
Internal audit should map the governance responsibilities
3.3 Establish the Assessment Criteria to those responsible for their design and operating effec-
tiveness.
Laws, regulations, and, potentially, governance codes pro-
vide the basis for the organization’s mandatory governance After completing Sections 3.1, 3.2, and 3.3, internal audit
practices. There also are qualitative aspects of an organi- should validate its understandings with the governance
zation’s governance practices that should be made a part process owners, senior management, and the CEO. In-
of the assessment criteria. One assessment tool that may ternal audit should conclude this phase of the assessment
be considered is a governance maturity model. There are process by further validating its understanding of the gov-
governance maturity models available; however, we do not ernance practices with the board and related committees.
provide one here because the governance attributes and The assessment criteria should be agreed to as well.
criteria will vary depending on the organization’s context.
To develop an organization-specific maturity model, the 4.0 Developing the Periodic Plan for
CAE should review any available models for the organiza- Auditing Governance
tion’s country and industry and take into consideration the
governance documents and issues specific to the organiza- The definition of governance in the Standards emphasiz-
tion. A draft maturity model should then be discussed and es the board and its governance activities. This includes
agreed on with senior management and the board. evaluating board effectiveness. It also includes providing
the board with timely and relevant information regarding
Once finalized, a maturity model can be used to evalu- the governance process, including the non-board activi-
ate and improve the organization’s governance structures, ties through which governance is realized.
processes, and arrangements either taken as a whole or
by individual governance process — ERM, compliance, In addition, as discussed in Practice Advisory 2110-2, the
internal audit, and so on — particularly, when some gov- relationships among governance, risk management, and
ernance processes may have greater desired maturity than internal controls should be considered:
• Effective governance activities consider risk when the board, the internal audit activity may be able
setting strategy. Conversely, risk management relies to provide assessments on the state of governance
on effective governance (e.g., tone at the top, risk ap- within the organization as a whole, using this
petite and tolerance, risk culture, and the oversight work as a basis for that opinion.
of risk management). The CAE should discuss and agree with the board on
• Effective governance relies on internal controls and which approach or combination of approaches will be
communication to the board on the effectiveness of most effective for the organization, taking into account
those controls. the considerations that follow in this section.
• Control and risk also are related, as control is defined
as “any action taken by management, the board, and To implement the selected approach, the CAE should
other parties to manage risk and increase the likeli- review the audit universe and modify it as necessary to
hood that established goals will be achieved.” ensure that governance processes and structures are in-
cluded.
Due to these interrelationships and depending on the
nature of the organization’s governance structures and If the decision is to audit specific governance processes,
processes, the most appropriate way to audit governance these processes should be identified and included as au-
might be one or a combination of the following: ditable entities in the audit universe.
• Audits of specific governance practices such as those If the decision is to perform a single audit including all
listed in Section 3.2: Review the Documented Gov- processes that focus specifically on governance, this will
ernance Processes. become an auditable entity.
• A single audit including all processes that focus spe-
cifically on governance. If the decision is to include governance in audits that fo-
cus more directly on business operations or support activi-
– This approach might be practical only in small
ties, modifying the audit universe will be more difficult.
organizations or as a high-level review to deter-
Ideally, the CAE will identify the governance processes
mine whether additional processes are needed
and structures within each auditable entity and include
and whether the existing processes, taken togeth-
them when assessing risk for each entity. This might not
er, give the board all the information it needs to
be feasible, though, because identifying those processes
fulfill its governance responsibilities.
and structures might be a major project in itself. In this
• Including governance in audits that focus more di- case, it might be more practical to require the audit teams
rectly on business operations or support activities. to identify and evaluate those processes and structures
– In this approach, a component of those audits during the audits they perform. A certain amount of time
would include the interface of the governance will have to be added to each audit for this additional work.
processes with those operations and activities. After some period of time — perhaps a year — enough
Governance audit work at the operations and will be known about the organization’s governance that
support activity level will provide detailed infor- identifying governance processes and structures in enti-
mation to internal audit on how well governance ties not yet audited will not be a major project.
practices are understood and practiced through-
out the organization. Over time and if desired by With the universe defined, a risk-based approach should
be employed to identify the audits to be carried out over
the planning horizon. The audit activity should ensure activities also give assurance on board governance activi-
that there is a balance of units selected for review in the ties. The appendix includes risk considerations for a num-
three areas of interest to internal audit due to their in- ber of these activities.
terrelation — governance, risk management, and control.
Doing so allows the audit activity to take into consider- 4.1 Risk Assessment
ation the holistic organic view of governance and its ef- As stated above, the CAE should use a risk-based ap-
fects on risk management practices and internal controls proach in defining the scope of the governance assess-
and vice versa. At the organizational level, board input ment or assessments. It is important to consider the na-
should be obtained on the level of relative risk of each of ture of the organization (i.e., publicly traded and privately
the governance processes such that the highest risk orga- held, large and small, local and global, for profit and not-
nization governance processes are included in the internal for-profit, simple and complex, highly regulated and non-
audit plans. Many boards categorize organizational risks regulated) and the context within which it operates. The
into strategic, operational, financial, and compliance. risks to achievement of organizational objectives for which
Risk-savvy boards expand the categories to include intan- comprehensive governance processes should be in place
gibles such as assets, reputation, social responsibility, and will be greatest in large, complex, highly regulated organi-
unpredictable events. The CAE should work with the or- zations and organizations in multiple jurisdictions.
ganization’s risk management professionals in listing pos-
sibilities for discussion with the board. 4.2 Special Circumstances
The key elements in developing the audit plan are appli-
The CAE should also determine the board’s expectations
cable for all types of organizations. Special circumstances
for internal audit’s governance assessment deliverables.
may exist for some organizations. The CAE should review
For example, does the board want an overall opinion on
organization bylaws, articles, board and board committee
the effectiveness of all governance practices, an overall
charters, and the organization’s operating environment,
opinion on those governance practices that exist within
and discuss any special circumstances with the board. The
the organization, opinions of the effectiveness of specific
board’s insights from these discussions will help frame the
elements, or reports with recommendations for improve-
overall audit plan. Special considerations may apply in
ment that do not include an opinion? The board might
certain non-profit and government contractor activities.
prefer assessments based on a maturity model, with the
maturity of each governance attribute measured against
4.3 Reliance on Other Assurance Providers
specific criteria. The board can then compare the actual
and desired levels of maturity for each attribute, identify Special consideration should be given relative to gover-
strengths and gaps, and get a more complete and bal- nance audits including coordination with the external
anced picture of the ethical climate than an audit opin- auditors.
ion provides.
During the planning process, the CAE should determine
Some of the planned audits may be sensitive. It is im- what reliance internal audit can place on other assurance
portant that the audit plan is reviewed with the board in providers. Internal assurance providers include functions
detail and its sponsorship be clearly established. such as risk management, compliance, quality assurance,
environmental auditors, health and safety auditors, and
While this section deals primarily with governance activi- government performance auditors. The criteria for reli-
ties within the organization, some leading internal audit ance include:
• Organizational independence. External assurance providers such as external auditors,

• Individual objectivity. third-party assurance providers, and regulatory examiners
will provide the board, executive management, and stake-
• Competence (e.g., technical knowledge, experience,
holders additional comfort on aspects of the organization’s
professional or industry certification, and continuing
performance. In establishing the governance assessment
professional development).
approach, the CAE should consider the nature, scope,
• Documentation of work. and timing of external assurance providers’ work. Practice
• Engagement supervision. Advisory 2050-1: Coordination and The IIA’s Practice
Guide, Reliance by Internal Audit on Other Assurance
• Quality of written reports delivered to management.
Providers, provides guidance on coordinating work with
• Issues and action plans identified. external auditors.
• Communication of results to the appropriate level of
the organization. 4.4 Communicating Activities among the Board and
External and Internal Auditors
• Issue closure process.
Key communication points occur during the annual plan-
• Issue closure escalation process to appropriate level ning process, providing status on plan completion, report-
in organization. ing of results, and follow-ups on management improve-
• Risk-based considerations in the annual planning ment actions. The CAE should have practices in place
process. with the board and the external auditors to facilitate these
communications. Form, content, and timing (scheduling)
To confirm reliance, internal audit might: should be established in advance generally using a 12- to
15-month window.
• Review some of the assurance provider engagement
work. Communication is a two-way street. The CAE should set
internal audit expectations with the board and external
• Reperform a sample of the work.
auditors to ensure receipt of relevant information that
• Perform one or more combined assessments with the would guide and shape internal audit governance assess-
assurance provider. ment work.
The annual plans prepared by other assurance providers
where reliance is anticipated should be provided to internal 5.0 Planning and Completing Governance
audit early in the audit planning cycle. The plans should Engagements
include scope, objectives, and timing and locations/areas How an organization designs and practices effective gov-
to be assessed. Ideally, these plans should be risk based us- ernance will vary. Therefore, establishing objectives and
ing a common language — the one internal audit employs. criteria upon which to base the assessment is difficult.
Copies of relevant reports from these assurance provider There are common themes, but there are often no com-
reviews should be provided to internal audit. mon practices. As a result, assessing the adequacy of gov-
ernance activities will require significant judgment by the
Boards of organizations with mature governance practic- auditor. For each engagement, the assessment should in-
es are beginning to ask for more and better coordination clude an evaluation of the design of the process or activ-
and integration of the assurance services. Internal audit ity and include sufficient testing to draw a conclusion on
should be instrumental in forming an integrated or com- operating effectiveness.
bined internal assurance provider process.
Some specific areas to consider at the engagement level • Provide assurance on how well the organization’s
include: strategies have been communicated and adopted
organization-wide.
• Process objectives — goals, purpose, and objectives • Evaluate the design, implementation, and effective-
of the process or activities within the scope of the ness of the organization’s ethics program and related
engagement. activities.
• Risks — risks that exist to achievement of those • Assess how well authorities have been delegated,
goals and objectives identified in setting strategy. acknowledged, and followed throughout the
• Structures — structures (organizational units, organization.
processes, policies, and procedures) that support
achievement of objectives and are documented, com- Identifying Governance Activity (Process) Objectives
municated, and understood. and Analyzing Associated Risks
• Accountabilities — clearly defined roles, responsi- Governance activity or process objectives are important to
bilities, and accountabilities. understand and will enable the internal auditor to identify
and analyze the associated risks and controls. The overall
• Required legal and regulatory requirements confor-
objective of organizational governance is to enhance orga-
mance.
nizational value and ensure proper management account-
• People — adequate staffing, training, and development. ability and communication to its key stakeholders.
• Communicating results.
For each specific governance activity or process, there
• Monitoring improvement action progress.
may be different types of objectives. Generally, objectives
5.1 Planning can be categorized as: strategic, operational, compliance,
and reporting. These are described in The Committee of
Setting the Engagement Objectives Sponsoring Organizations of the Treadway Commission’s
Engagement objectives reflect the purpose for perform- (COSO’s) Enterprise Risk Management–Integrated Frame-
ing the engagement and the deliverables that are to come work and can provide useful guidance in identifying and
from the work. Simply stated, engagement objectives state understanding relevant objectives for the specific gover-
what the audit will provide. While the objectives should nance activity or process to be reviewed.
have been developed during the periodic audit planning
process, the objectives should be formally established and Section 3 introduces general governance practices
communicated in an engagement memo or Terms of Ref- grouped at the board level and within the organization. To-
erence. These objectives can be stated in a variety of ways gether these activities constitute the governance umbrella
depending on the nature and scope of the assurance en- over the organization’s operations. The appendix provides
gagement. Regardless of the wording used, the objectives examples of governance activity objectives and risks at the
should clearly state the specific assurance to be provided. board level while Section 6 provides similar information
Examples include: for the key governance processes within the organization.
• Assess compliance with required governance activities. Legal Involvement

• Evaluate risk management activities at the subsidiary Oftentimes the internal auditor will be challenged to in-
level. terpret application of laws and regulations. Except for
those with law degrees, internal auditors generally do not The audit plan should include the program of audits to be
have the legal background to adequately interpret the completed, the timing of those audits, and the resources
more complex legal implications affecting organizational needed. CAEs are often challenged with limitations or con-
governance. When faced with this situation, the CAE straints on resources. Governance audits are high profile,
or supervisor of the engagement should involve the legal and staffing them often requires individuals with advanced
department or the organization’s legal counsel in providing knowledge, skills, competencies, and experience. When
the necessary legal advice. When the area of audit focus using a third-party source for staffing, the CAE should en-
is assessment of the organization’s legal activity, the CAE sure that the staff is both independent and objective.
should consider use of outside counsel. The CAE should
obtain agreement from the board on this. 5.2 Performing the engagement
Sources of Evidence
Engagement Staffing
In providing assurance, internal auditors normally use a
The nature of the engagement — scope and objectives — two-step approach: review the design and test the oper-
will shape the knowledge, skills, competencies, and expe- ating effectiveness of key activities. The internal auditor
rience needed to successfully c�omplete the engagement. should gather sufficient, relevant, and reliable informa-
The CAE should identify the knowledge, skills, compe- tion in carrying out the work and formulating conclusions
tencies, and experience needed for the engagement and and recommendations. There are a number of sources to
assign staff that best fits these requirements. Where im- consider in gathering the evidence.
portant gaps exist, the CAE should consider just-in-time
training, guest auditors, or a consultant to fill the gaps.
Attribute Evidence to Consider
Role of the Board • Legal documents establishing the organization (Articles of “formation,” bylaws, etc.).
• Legal and regulatory requirements with which the board should comply (acts, statutes, rules, etc.).
• Briefing papers including pre-meeting materials and presentations.
• Meeting minutes and actions taken.
• Charters including those of any committees of the board.
• Board member profiles.
• Self-assessments.
• Regulatory actions/sanctions.
• Orientation and training materials.
• External reports to include independent auditors, regulators, rating agencies, etc. (for the organization’s
“watchdogs”).
• News sources for any relevant press regarding the organization.
Values, Culture, • Ethics and integrity policy – adopted, communicated, affirmation, training.
Philosophy • Mission, vision, values established and communicated.
• Whistleblower hotline established, communicated, level of awareness and use, organization response.
• Organization personnel surveys confirming individual awareness and understanding.
• Organization personnel surveys confirming executive/leadership displays a values culture and philosophy.
• New employee training and orientation includes values, culture, and philosophy.
• Communication/training exists on ethics and values in “gray areas.”
Structures, • Articles of formation (incorporation), bylaws, operating agreements, etc.

Arrangements • Policies that include: purpose, roles and responsibilities, audience, scope, definitions, authorities, effective
(includes legal dates, implementation dates and procedures, authorities and administration, measurement and validation (to
documents, policies, name a few topics that should be included).
standards, charters,
etc.) • Standards that articulate the ”to what level” of performance is to be expected (i.e., zero defects or tolerance,
Six-Sigma.
• Mandatory governance requirements adopted with appropriate structures and incumbents in place at C-suite
level.
• Detailed process and accountability in place to keep current on governance requirements.
• Governance committee charters that include purpose, scope authority, roles and responsibilities, and
membership and are published, widely known and readily accessible, periodically reviewed and updated as
necessary.
• Governance committee meeting minutes, actions taken, and reporting.
• Examples of governance committees that larger organizations may have include governance, strategy, risk,
audit, control, compliance, disclosure, finance, and IT governance/risk.
• For larger and more complex organizations, governance structures and organization charts that cascade
throughout the organization fully staffed with clear reporting relationships.
• Details on governance processes where there is shared accountability, particularly in organizations that use
matrix management.
• Process details for addressing or approving deviations to policies, standards, and procedures.
Process, Procedures, • Documentation that identifies all organizational activities, operations, departments, functions, and/or
Process Management processes.
(level below • Documented maps for each process showing inputs, activities, tasks, steps in the process, and outputs.
organization-wide Mapping also should include such references as objectives, customer conditions of satisfaction, ownership,
structures) procedures to update when necessary, and procedures to make available to those with the need.
• Documentation for all aspects of transformational transactions and existing process change management.
Goals, Objectives, • Current list of organization’s goals, objectives, standards, and strategies.
Strategies, Plans, Risk, • Communication protocols.
Controls
• Details on alignment throughout organization.
• Process to update and re-communicate.
• Evidence of board approval from meeting minutes or correspondence directly from the board.
• Details showing the allocation of resources to execute strategies approved by the board.
• Documented responsibility for strategy implementation.
• Risk policy and procedures approved by the board that include: risk process, risk universe with common risk
descriptions, risk tolerance levels, risk assessment and reporting process, and risk ownership.
• Details of function/department/unit/individual goals and objectives and their alignment to the organizational
ones.
• Performance or reward systems that encourage personnel to achieve organizational goals that are aligned
with stakeholder expectations.
People, Capabilities, • Job descriptions for all organization personnel that contain position description, responsibilities, authorities,
Accountabilities, reporting relationships, and education.
Behaviors, Training, • Development program/process that applies to all personnel.
Education,
• Leadership development program/process.
• Individual training records that include skills assessments, development plans, and training completed.
• Organization-wide training on ethics, integrity, and values.
• Succession plans.
• Personnel surveys that provide insights into how people view the organization’s commitment to people, their
capabilities, accountabilities, behaviors, training, and education.
• Detailed, board-approved delegated authorities, personnel acknowledgement, periodically reviewed,
validations, and remediation process where authorities are breached.
Metrics, Measurement, • Documented organizational performance measurement system that illustrates the system and includes
Monitoring (Oversight) description of required information, the form of the reports, reporting periods and due dates, safeguards that
ensure accuracy, and completeness.
• Copies of actual reports.
• Personnel and customer surveys: processes, questions, frequency, audiences, results, responses, and status
on improvement actions.
• Monitoring systems over and above performance measurement systems that should specify what and when to
monitor, responsibility, results, and improvement action plans and status.
• Details on assurance mechanisms that would include: charters, scope, plans, reports, etc.
• Benchmarking process and results.
• Due diligence evidence/documentation on assessment of third-party governance practices.
• External reports with comparisons to relevant internal reports covering governance practices.
Communicate, Inform, • External reporting process documentation that evidences legal involvement.
Transparency • Details on mandatory/required reporting to external parties.
• External reports along with documentation evidencing conformance to established procedures.
• Disclosure committee charter, roles, responsibilities, meeting minutes.
• Internal communication systems up, down, and across the organization.
• Surveys/survey questions and results regarding personnel perceptions on quality of information and
communication.
• Information and communication security/privacy policies, procedures.
• Information “asset” management process/program.
• Feedback from recipients on quality of communication.
Results, Stakeholder • Financial reports both external and internal.

Expectations, • Regulatory actions.
Compliance, Objectives
• Internal measurement results such as balanced scorecards.
• Civil actions.
• Organization news and blogs — what others are saying about the organization.
• Analysis, particularly external, comparing actual results to objectives and expectations, both short and longer
term.
Automation • IT governance/risk/control program and processes.

(Where applicable) • Defined information security policies, procedures, and practices.
Workpaper Documentation If the assessment yields legally or politically sensitive re-

sults that were not anticipated, reporting may be formal
Because of the sensitivity of some governance audit work,
or informal. Consideration should be given as to which
there may be a need for special handling of access and stor-
method will get corrective action taken without resulting
age of related audit workpapers. Audit workpapers are the
in unintended negative repercussions. Even if reporting is
property of the organization. The files are under the control
informal, internal audit must follow the Standards in com-
of the internal audit activity and are accessible only to au-
municating the audit results and in monitoring improve-
thorized personnel. Management review may be granted to
ment action progress.
substantiate or explain audit findings or to use audit docu-
mentation for other business purposes. Where the audit
5.4 Monitoring Improvement Action Progress
work is completed at the request of the organization’s legal
counsel, the access and storage of the workpapers may re- The CAE should establish a system to monitor the prog-
quire legal direction. Regardless, the CAE should approve ress on improvement actions communicated to manage-
all requests for access to audit workpapers. ment and the board. Due to the importance of governance
activities and board and CEO responsibilities for effective
5.3 Communicating Outcomes and Results governance, the system should be rigorous. The system
should include:
Internal audit should communicate engagement out-
comes and results. Agreement should be reached with
• The timeframe within which the improvement action
the organization’s board and executive management on
will be completed, including key milestone dates.
dissemination of all governance-related reports. General
counsel’s advice should be obtained on the communica- • Ongoing evaluation of governance activity owners’
tion of results and retention of related workpapers. responses.
• Internal audit validation or follow-up audit of the
Communicating results should be consistent with improvement action.
Standard 2400: Communicating Results and the related
• An escalation process for unsatisfactory response to
practice advisories and practice guides.
include the assumption of risk for delayed or incom-
plete improvement action.
The CAE may be asked to facilitate self-assessments of
the board or its committees. The results, including ac-
5.5 Engagement Administration
tion plans, if any, should be documented so the board can
monitor progress. The method for documenting and com- Supervision/Quality
municating results will be at the discretion of the board. Governance audits are high profile and carry with them
Options range from a written report to a brief slide pre- higher audit risk. The CAE should ensure that these en-
sentation. gagements are adequately staffed, properly supervised,
and subject to the internal audit quality assurance and
Assessments of some management governance activities improvement process.
might have legally sensitive results. This possibility should
be considered before the assessment begins. It might be If the internal audit activity is to have a key role in as-
prudent to work with the organization’s general counsel sessing governance, its overall effectiveness in providing
and do the assessment and related reporting under legal assurance to stakeholders is critical. The board should
privilege. look to the CAE for periodic reports on the internal audit
activity’s quality assurance and improvement program and primarily contain what is prescribed in legislation. The
ensure that the program provides for an independent as- organization’s legal documents further specify the roles
sessment at least every five years. The CAE should ensure and responsibilities of the board, senior management, and
that these reports are provided. In addition, the board will other corporate bodies and functions.
draw its own conclusions on the effectiveness of the in-
ternal audit activity. 6.2 Strategy
Strategic planning is an organization’s process of defining
6.0 Considerations by Specific Governance its strategies for achieving its goals and objectives, and
Activity making decisions on allocating its resources to pursue its
6.1 Board strategies, including its capital and people. Simply put,
The board should be satisfied that there is an effective strategic planning outlines where an organization is going
governance system in place. To that end, it should en- over the next few years and how it is going to get there.
sure that it is fulfilling all of its governance responsibili-
ties, the right governance processes are in place within Strategies can exist at different levels in an organization.
the organization and operating effectively, and transparent It starts at the overall organizational level and cascades
communications exist between the organization and its down through the organization.
stakeholders. The board should discuss the state of the or-
ganization’s governance system. It should seek input from Organization Strategy — At the highest level, it is
the three levels of assurance providers — operating or line concerned with the overall purpose and scope of the
management, enterprise-wide functions, and indepen- organization to meet stakeholder expectations. This is
dent activities such as internal audit — and use external the most critical level since it is heavily influenced
assurance providers to validate the three levels’ represen- by stakeholder investment and acts to guide strategic
tations and opinions. The board should sponsor periodic decision-making throughout the organization.
evaluations and continuous improvement of governance
practices. This can be done through self-assessments and Subsidiary Strategies — These strategies are con-
obtaining assistance from the organization’s internal audit cerned more with how the organization will suc-
activity and external assurance service providers. A highly cessfully operate in a particular “market.” It involves
competent and a well-positioned internal audit activity strategic decisions about choice of products, meeting
can assist with a board’s self-assessment and can provide needs of customers, gaining competitive advantage,
reliable assurance on the organization’s internal gover- and exploiting or creating new opportunities.
nance practices.
Operational Strategy — At the operating level, these
The exact role of the board is determined by the powers, strategies are focused on how each activity or func-
duties, and responsibilities delegated to it or conferred tion of the organization will deliver the organization
upon it by applicable law and are typically specified in and subsidiary strategies. Operational strategies are
the organization’s articles, bylaws, charters, or rules (or much more detailed and key in on resources, process-
other similar documents). Usually, the organization’s legal es, people, etc. All discrete activities and/or functions
documents specify the number of members of the board, should have operational strategies.
how they are to be chosen, the frequency and mode of
meeting, and how decisions are to be made. The bylaws
What are some conditions of satisfaction that can be used (CRO) — or a CRO with a staff that owns the process
in evaluating strategies? Strategies should: and coordinates and project manages risk management
activities. Some organizations have assigned specific risk
• Be developed through a disciplined process and sup- management activities to internal audit. The IIA issued a
ported by the best available information. position paper in 2009 on “The Role of Internal Auditing
• Be commonly understood by organizational person- in Enterprise-wide Risk Management.” This position pa-
nel. per provides guidance on permitted roles, roles that may
be appropriate with safeguards, and prohibited roles. Of
• Serve as a platform for all major decisions.
great importance is ownership of risks. Regardless of the
• Enhance stakeholder value. roles internal audit may play, it should not own any risks
• Align with other strategies, top-down and across the other than the internal audit risk.
organization.
There are several risk management frameworks or stan-
• Be clearly reflected in objectives, structures, and
dards to choose from in establishing the criteria upon
operations at all levels.
which to base the assessment. Two of the most widely
• Enable alignment of measurement and rewards. used are ISO 31000, Risk Management — Principles and
• Eliminate redundancies. Guidelines and COSO’s Enterprise Risk Management–
Integrated Framework.
• Be documented.
• Manage/maintain risks within risk tolerance limits. For guidance on assessing risk management, see the The
• Allow risk expectations to be well understood by IIA’s Practice Guide, Assessing the Adequacy of Risk
stakeholders, regulators, rating agencies, and capital Management Using ISO 31000. This practice guide pres-
markets. ents three potential approaches:
The assurance that internal audit provides should align
• Process elements — are all the elements of a sound
to the above conditions of satisfaction. The assessment is
risk management process in place?
generally not intended to directly question the strategies
themselves, but rather the strategic planning process and • Key principles — does the risk management process
how well the strategies have been communicated through satisfy a minimum set of principles?
the organization and adopted at the various levels. • Maturity model — how mature are the elements of
the risk management process? This Practice Guide
6.3 Enterprise Risk Management includes a basic risk maturity model.
Generally, the board will delegate the operation of the The internal auditor should look at the qualitative aspects
risk management process to the organization’s executive of risk management, as well as the formal processes. For
leadership team. Structures may vary depending on the example, the quality of the risk policy or risk universe is as
size, complexity, and maturity of the organization and its important as having one.
commitment to risk management. For example, in a small
organization with risk-conscious managers and a high de- 6.4 Ethics
gree of communication about risks, there may be no need
Senior management members have primary responsibil-
for a formal structure. In a large organization the struc-
ity for promoting strong ethics. Most important though is
ture may consist of a single individual — chief risk officer
the tone at the top they set by their actions and informal
communications. These actions include their own behav- climate they work within and the ethical behavior of
ior and how they respond when key employees (e.g., other management and/or other employees. Whenever pos-
executives or “the best salesman”) behave unethically. Op- sible, validate the results of these methods with more
erating managers set the tone in their own areas, which tangible evidence. If they cannot be validated, make
may or may not be consistent with that of the organization this clear in reporting, and work with management to
as a whole. determine the reasons for employees’ perception of
the climate.
Ethical standards in areas such as gift giving are differ- Like other governance activities, ethics can be assessed as
ent in some countries than others. Global organizations part of a comprehensive review of governance or as a stand-
should decide whether and how much to adapt their glob- alone project that contributes to the overall governance
al standards to the local culture and make this clear to all assessment, or it can be integrated into audits that focus
concerned. more directly on business operations or support activities.
Internal audit should promote ethical behavior and may 6.5 Compliance
play a formal role such as chief ethics officer, compliance
Compliance and ethics are closely related and are some-
officer, or member of an ethics council, as long as such a
times evaluated together. The preceding section on ethics
role does not compromise internal audit’s independence.
applies to compliance as well. This section presents ad-
ditional considerations.
Standard 2110.A1 states: “The internal audit activity must
evaluate the design, implementation, and effectiveness of
The term compliance, particularly when referring to a
the organization’s ethics-related objectives, programs, and
compliance function, normally refers to compliance with
activities.” Evaluating the design might require develop-
laws and regulations, rather than compliance with internal
ing and agreeing with management on criteria, perhaps by
policies and procedures. Internal auditors should consider
research and benchmarking similar programs. Evaluating
the need for technical assistance — for example, from the
the implementation will be similar to doing so for other
organization’s legal department or an outside third party
activities. Evaluating the effectiveness (i.e., whether they
— when evaluating legal and regulatory compliance.
are having the desired effect) requires an evaluation of the
ethical climate itself.
The compliance function, if one exists, might be the sub-
ject of an audit. The scope, however, should go beyond
Evaluating the ethical climate is sensitive and can be
the activities of the function itself. The effectiveness of
highly subjective. To succeed, internal auditors should:
the function is determined by the awareness of and com-
• Get sponsorship and agreement on the evaluation mitment to compliance by employees whose work could
methods from the board and/or senior management. be noncompliant. If the CAE is responsible for the com-
To the extent possible, get buy-in from those who pliance function, this audit should be outsourced to an
might be subject to criticism as a result of the review. external provider.
• Consider using a maturity model for the evaluation, If there is no designated compliance function, internal au-
because no ethical climate is completely good or bad. ditors should determine and assess the methods by which
• Consider using self-assessment methods such as sur- the organization fosters compliance knowledge and com-
veys or workshops, in which employees evaluate the mitment in its employees.
6.6 Organizational Accountability financial, customer, internal business operations, employ-

The organization’s board and management derive their ee, leadership, and society and shareholder/stakeholder
authorities from the organization’s key stakeholders. Ac- satisfaction.
countability is imperative to make executive management
and staff answerable for their behavior and responsive to By definition, the purpose of monitoring is to provide the
the organization’s key stakeholders. This may be achieved board and management with early indications of progress
differently in different countries or political structures, being made in achieving the organization’s objectives.
depending on the history, cultural milieu, and value sys- Monitoring enables and assists the board and management
tems involved. The mechanisms employed may vary from in making timely decisions. Also, monitoring provides the
audit covenants at one level; to broadly elected legisla- means for holding people accountable and enables the or-
tures or more narrowly conceived consultative commit- ganization to continually improve performance.
tees at another.
Monitoring should be based on an analysis and prioritiza-
Accountability also means establishing criteria to mea- tion of the risks to achieving organizational objectives and
sure the performance of board and management, as well the means by which those risks are mitigated. The moni-
as oversight mechanisms to ensure that the standards are toring process level risks to consider may include:
met. The litmus test is the process by which the stake-
holders can act to address inappropriate actions and re- • Relevance.
ward exemplary performance. This can be a very sensitive • Reliability.
area for internal audit to touch upon and underscores the • Adaptability to address new or changing risks.
importance of sponsorship.
• Accuracy.
When assessing accountability, internal audit should • Objectivity.
consider: • Completeness.
• Cost effectiveness.
• The organization’s legal or legislative appointment,
legal structures, and applicable laws and regulations. • Timeliness.
• Formal and comprehensive “delegated authorities” • Usefulness.
and “powers reserved.” • Communication and reporting content.
• Documented acknowledgement by key personnel of
their accountabilities. 6.8 IT Governance
• Processes to monitor accountabilities and corrective The Standards Glossary provides the following definition
actions taken when accountabilities are not met. of IT governance: “Consists of leadership, organizational
structures, and processes that ensure the enterprise’s [IT]
6.7 Monitoring supports the organization’s strategies and objectives.”
There are a number of different monitoring and mea-
IT governance is an extension of the organization’s gover-
surement systems in use today. Regardless of the nature,
nance. As with all governance, there is no one-size-fits-all
size, type, form, or specialization, organizations tend to
solution. Effective IT governance should be a cohesive and
be interested in the same general aspects of performance:
integrated process aligned with the business, compatible
with the management decision-making style and culture,

and perceived by business management as providing value.
The board has oversight responsibility for IT governance.
The CAE should ensure that these governance practices
are included in the annual program of audits.
There are several widely recognized IT governance frame-

works that may be used in establishing the criteria for as-
sessing the part of governance related to IT. These include:
ISO 38500 – Corporate Governance of Information Technol-

ogy. This international standard is applicable to all types
and sizes of organizations. It is built around six principles:
Responsibility, Strategy, Acquisition, Performance, Confor-
mance, and Human Behavior.
COBIT 5 – Control Objectives for Information and Related

Technology. The fifth edition focuses on governance activi-
ties that operate at the board and executive level. It is orga-
nized in three domains aligned with ISO 38500: evaluate,
direct, and monitor.
Global Technology Audit Guides (GTAGs) are Internation-

al Professional Practices Framework Practice Guides that
provide detailed guidance for conducting internal audit ac-
tivities. The GTAGs are written in very clear, concise, easy
to understand business language. They provide guidance
for the more detailed parts of an IT governance review.
Appendix — Board Risks, Control Objectives, Practices

The overall objective of organizational governance is to inform, direct, manage, and monitor an organization’s activities
toward achievement of its objectives. On behalf of the organization’s key stakeholders, the board is the focal point for
ensuring effective governance.
Following are examples of risks that can be encountered by boards and controls objectives and practices that can be used
to manage them.
Risks/Events Control Objectives Practices
Board members do not have the To fulfill the board’s role and There is a sufficient number of outside,
required organization, industry, responsibilities in a complete, independent members of the board as required
technical, IT, or other knowledge and accurate, and timely manner. by organization need and applicable laws.
experience.
The sufficient number of members and expertise
needed for the board is defined in formal,
specific criteria.
Practices are in place to ensure the right mix of

expertise, skills, and diversity is represented on
the board at all times.
Backgrounds of potential board members are

thoroughly reviewed and validated.
Term limits are strictly enforced to ensure

a regular infusion of new individuals who
bring needed competencies, provide fresh
thinking, and keep governance connected to the
stakeholders.
Members do not understand the role or An orientation and on-boarding and continuous
responsibilities of the board. training is conducted to ensure all members
understand their role and responsibilities.
Failure of board members to The board charter, policies, roles and

adequately fulfill their roles and responsibilities, and procedures are documented
responsibilities. and made readily available.
• Updates are made timely.
• Changes are adequately communicated.
Board members periodically visit the

organization and meet with key leaders.
Failure of the board to meet legal To meet legal requirements of the All legal requirements are identified,
requirements. board. communicated and made readily available to
board members.
• Requirements are continuousLY monitored.
• Updates are communicated timely and
adequately.
Failure of individual board members to To ensure all board policies, A parliamentarian is assigned to monitor and
exercise proper due diligence. procedures, and legal requirements advise on board processes and procedures and
are followed. legal requirements.
An agenda is followed and minutes are kept for

all meetings.
Action Dockets or similar methods are used to

track assignments and deadlines.
Calendars are maintained to keep board

members informed of meetings and important
deadlines.
Individual evaluations and board assessments

are conducted at least annually to identify
improvements and necessary member
terminations.
Insufficient challenge and skeptical To ensure all board members Robert’s Rules of Order procedures are followed
inquiry is provided by board members. concerns are identified and in all board meetings.
addressed.
Sufficient time is allocated in all agendas for
open discussion and debate.
The chairman of the board position is held by

an outside, independent member with extensive
experience on other boards.
This is considered a best practice and is

mandated by law in some jurisdictions because
such a person is less likely to be influenced by
relationships with, and the personal interests
of, management, and may be more effective in
challenging executive management actions.
The board regularly interacts with the internal

auditors and the external auditors, at times
outside the presence of management, to ensure
they are allowed to carry out their mandate in an
unrestricted manner.
There are a sufficient number of nonexecutive

directors on the board and attending board
meetings.
Unknown or unanticipated To ensure board members Risk assessments conducted by the

vulnerabilities. understand the risks to the organization’s chief risk officer (if one exists),
organization’s objectives and management, internal audit, or external parties
the related vulnerabilities of the (e.g. external auditors, regulators, rating
organization. agencies) are provided to board members as
they become available.
Board members conduct their own risk

assessments at least annually to include
scanning the environment for unanticipated
events that may be harmful to the organization’s
reputation.
Decisions are made or actions taken To ensure the board has reliable, All necessary information (e.g., background,
based on unreliable, incomplete, or complete, and timely information. financial impact, risks, and benefits) is provided
untimely information. to board members in a consistent format with
sufficient time for thorough review before
decisions are made.
Sufficient time is allowed for debate prior to

decisions.
Failure to meet stakeholder To ensure primary stakeholder needs Primary stakeholders are identified and allowed
expectations. are known by all board members. to vote on board membership.
Surveys are conducted to identify primary

stakeholder needs on a periodic basis.
Primary stakeholders are allowed to attend

meetings and ask questions at appropriate times
during the meeting.
Failure to properly inform key To ensure that all mandatory Board reviews and approves all information,
stakeholders. and optional information is reports, and filings prior to release of information
communicated accurately and to key stakeholders.
timely to key stakeholders (includes
regulatory agencies).
Organizational governance structures/ Ensure an appropriate Board oversight and monitoring of key
processes/practices are ineffective or organizational governance organizational activities such as objective
lack sustainability. framework is in place and operating setting, strategies, structures, operating plans
effectively. and budgets, operating performance, and
results.
A succession planning process exists for the

organization’s CEO and other key leadership
positions.
Board review and approval of organization

code of conduct, ethical culture, policies, and
procedures.
Authors and Reviewers

Authors:
Dean Bahrman, CIA
Amipal Manchanda
James Roth, Ph.D., CIA, CCSA, CRMA
Maria Mendes, CIA, CCSA
Reviewers:
Steven Jameson, CIA, CFSA, CCSA, CRMA, CPA, CFE, CBA, CGMA
James Rose, CIA, CRMA, CPA, CISA, CISSP
About the Institute Disclaimer
Established in 1941, The Institute of Internal The IIA publishes this document for informa-
Auditors (IIA) is an international professional tional and educational purposes. This guidance
association with global headquarters in Altamonte material is not intended to provide definitive an-
Springs, Fla., USA. The IIA is the internal audit swers to specific individual circumstances and as
profession’s global voice, recognized authority, such is only intended to be used as a guide. The
acknowledged leader, chief advocate, and princi- IIA recommends that you always seek indepen-
pal educator. dent expert advice relating directly to any specific
situation. The IIA accepts no responsibility for
About Practice Guides anyone placing sole reliance on this guidance.
Practice Guides provide detailed guidance for
conducting internal audit activities. They include Copyright
detailed processes and procedures, such as tools Copyright © 2012 The Institute of Internal
and techniques, programs, and step-by-step ap- Auditors. For permission to reproduce, please
proaches, as well as examples of deliverables. contact The IIA at guidance@theiia.org.
Practice Guides are part of The IIA’s IPPF. As
part of the Strongly Recommended category
of guidance, compliance is not mandatory, but
it is strongly recommended, and the guidance
is endorsed by The IIA through formal review
and approval processes. For other authoritative
guidance materials provided by The IIA, please
visit our website at https://globaliia.org/standards-
guidance.
global headquarters T: +1-407-937-1111

247 Maitland Ave. F: +1-407-937-1101
Altamonte Springs, FL 32701 USA W: www.globaliia.org
120606
Assessing the
Adequacy of
Risk Management
Using ISO 31000
December 2010
Assessing the Adequacy of
Risk Management Using ISO 31000
Table of Contents
Executive Summary...................................................................................... 1
Introduction ................................................................................................. 1
Risk Management in the Organization........................................................ 2
Internal Auditing and Risk Management..................................................... 5
Internal Audit Review of Risk Management................................................ 6
Obtaining Audit Evidence............................................................................. 8
Assurance of the Risk Management Process............................................. 9
Assessing the Quality of

Risk Management Documentation............................................................. 13
Authors ...................................................................................................... 14
Reviewers & Contributors.......................................................................... 14
www.theiia.org/guidance / B
Executive Summary perform the risk assessment. This guidance does not imply im-
plicit or explicit endorsement of this or any other framework.
Many organizations are moving to adopt consistent and
holistic approaches to risk management and recognize that
risk management is a management process that should be
Introduction
fully integrated with the management of the organization. Over the last few years, the importance of managing risk
It applies at all levels of the organization — enterprise level, as part of strong corporate governance has been increas-
function level, and business-unit level. ingly acknowledged. Organizations are under pressure to
identify the significant business risks they face — social,
The risk management framework must be designed to suit ethical, and environmental as well as strategic, financial,
the organization: its internal and external environment. For and operational — and to explain how they manage them.
risk management to be effective, the framework in any or- The use of enterprise-wide risk management frameworks
ganization, regardless of size or purpose, should contain has expanded as organizations recognize the advantages of
certain essential elements. This guide details three ap- coordinated approaches to risk management.
proaches to assurance of the risk management process: a
Process Elements approach; an approach based on Princi- Risk management is defined in the Glossary of the Inter-
ples of Risk Management; and a Maturity Model approach. national Standards for the Professional Practice of Inter-
The assurance process that is used should be tailored to the nal Auditing (Standards) as “a process to identify, assess,
organization’s needs. manage, and control potential events or situations to pro-
vide reasonable assurance regarding the achievement of
Internal auditors should have a means of measuring the the organization’s objectives.”1 A comprehensive risk man-
effectiveness of risk management in an organization. This agement framework provides an end-to-end link between
can be achieved by the examination of criteria that reflect objectives, strategy, execution of strategy, risks, controls,
aspects of the risk management process. The criteria used and assurance across all levels in the organization.
must be relevant, reliable, understandable, and complete.
The aggregate of the observations should allow the audi- Enterprise risk management (ERM) — or more properly
tor to form a conclusion on the organization’s level of risk enterprise-wide risk management — is a term in common
management maturity. use. The Committee of Sponsoring Organizations of the
Treadway Commission (COSO) defines it as “a process,
The quality of an organization’s risk management process effected by an entity’s board of directors, management
should improve with time. Implementing effective risk and other personnel, applied in strategy setting and across
management — true ERM — often takes several years. One the enterprise, designed to identify potential events that
of the key criteria that internal auditors should consider is may affect the entity, and manage risk to be within its risk
whether there is a suitable framework in place to advance appetite, to provide reasonable assurance regarding the
a corporate and systematic approach to risk management. achievement of entity objectives.”
This practice guide uses ISO 31000 as a basis for the risk ISO 31000 (Section 4.1) states that the success of risk
management framework. Other frameworks may be used to management “will depend on the effectiveness of the
1
This is consistent with the International Organization for Standardization’s (ISO’s) definition of risk management, which is “coordinated activities to direct and control an organization
with regard to risk.” (ISO Guide 73:2009 Definition 2.1)
www.theiia.org/guidance / 1
management framework providing the foundations and and improving risk management in their organizations, and
arrangements that will embed it throughout the organiza- assessing the organization’s risk management activities is a
tion at all levels.”2� A risk management framework refers critical component in that effort.
to the components and organization of risk management
within an entity. This practice guide uses the structure and some of the ter-
minology of ISO 31000. While ISO 31000 is not designed
Standard 2120 states “the internal audit activity must as a basis for certification, its concepts and structures form
evaluate the effectiveness and contribute to the improve- a basis for assessing any risk management process. The ISO
ment of risk management processes.” It continues with 31000 framework is not the only risk management frame-
the following interpretation. work in common use, and this guidance does not imply any
endorsement of this particular framework.
“Interpretation: Determining whether risk management pro‑
cesses are effective is a judgment resulting from the internal
auditor’s assessment that:
Risk Management in the
• Organizational objectives support and align with the Organization
organization’s mission;
Governance
• Significant risks are identified and assessed; The ISO 31000 Risk Management Standard provides
• Appropriate risk responses are selected that align risks guidance for the framework of risk management appli-
with the organization’s risk appetite; and cable for organizations of any size. ISO 31000 defines
a risk management framework as a “set of components
• Relevant risk information is captured and commu‑
that provide the foundations and organizational arrange-
nicated in a timely manner across the organization,
ments for designing, implementing, monitoring, reviewing
enabling staff, management, and the board to carry out
and continually improving risk management throughout
their responsibilities.
the organization.”3� The risk management framework, re-
The internal audit activity may gather the information to gardless of the level of formality, is inherently embedded
support this assessment during multiple engagements. The in an organization’s overall strategic and operational poli-
results of these engagements, when viewed together, provide cies and practices. Organizational arrangements include
an understanding of the organization’s risk management pro‑ plans, relationships, accountabilities, resources, process-
cesses and their effectiveness. es, and activities. The diagram on page 3 (Figure 1) shows
Risk management processes are monitored through ongoing a conceptual model that can be used for analysis of these
management activities, separate evaluations, or both.” arrangements.
The starting point for improving an organization’s approach The internal auditor should assess whether the frame-
to risk management should be a gap analysis that takes work takes into consideration and defines risk manage-
stock and evaluates what processes and systems are pres- ment responsibilities and the risk management strategy,
ent now. If any of the essential parts are missing, it is high- and whether the elements of the framework allow for the
ly unlikely that risk management will become effective. building of a risk-smart workforce and environment while
Internal auditors have an important role to play in assessing still allowing for responsible risk-taking and innovation.
2
© ISO. This material is reproduced from either ISO 31000:2009 or ISO Guide 73:2009 with permission of the American National Standards Institute (ANSI) on behalf of the
International Organization for Standardization (ISO). No part of this ISO material may be copied or reproduced in any form, electronic retrieval system or otherwise made available on the
Internet, a public network, by satellite or otherwise without the prior written consent of ANSI. Copies of this standard may be purchased from ANSI, 25 West 43rd Street, New York, NY
10036, (212) 642-4900, http://webstore.ansi.org
3
Ibid.
Mandate
and
commitment
Design of
framework for
managing risk
Continual
improvement Implementing
of the risk
framework management
Monitoring and
review of the
framework
Figure 1 Framework for Managing Risk (ISO 31000)
Responsibilities for Risk Management The board has overall responsibility for ensuring that risks
The International Organization for Standardization (ISO) are managed and that there is an adequate risk manage-
defines risk attitude as an “organization’s approach to as- ment system in place. In practice, the board will delegate
sess and eventually pursue, retain, take or turn away from the operation of the risk management framework to the
risk.”4� Management is responsible for setting the organi- management team. There may be a separate function
zational attitude regarding risk and the board is respon- with specialized skills and knowledge that coordinates
sible for determining whether the risk attitude is aligned and project-manages these activities, but everyone in the
with the best interests of shareholders. organization plays a role in ensuring successful enterprise-
wide risk management, and the primary responsibility for
Boards provide governance oversight of ERM and should identifying and managing risks lies with management.
understand key elements of ERM, ask management about
risks, and concur on certain management decisions. Monitoring and Assurance
Stakeholders should be given sufficient information to un- The application of ERM changes over time. The risk
derstand the risk attitude of management and the board, attitude can change due to internal or external factors,
in order to invest in accordance with their tolerances for once-effective risk responses may become irrelevant, and
potential variation in performance. Organizations com- control activities may become less effective or no lon-
municate levels of risk through quarterly and annual re- ger be performed. Changes can be brought about by the
ports, press releases, investor calls, etc. arrival of new personnel, changes in entity structure, or
© ISO. This material is reproduced from either ISO 31000:2009 or ISO Guide 73:2009 with permission of the American National Standards Institute (ANSI) on behalf of the Inter-
4
national Organization for Standardization (ISO). No part of this ISO material may be copied or reproduced in any form, electronic retrieval system or otherwise made available on the
10036, (212) 642-4900, http://webstore.ansi.org
introduction of new processes. Furthermore, entity objec- monitoring activities and, thereby, to emphasize “building
tives, as well the nature of potential events or conditions in” rather than “adding on” monitoring activities.
that may affect the achievement of those objectives, will
change. Accordingly, management needs to determine The need for assurance arises from the governance pro-
whether the ERM components continue to be relevant cesses of an organization. Its origin is in the stewardship
and able to address new risks. relationship between the board of an organization and
its stakeholders. This stewardship relationship positions
A critical element of a sound risk management system is boards to establish processes to both delegate and limit
monitoring to ensure it is performing as intended. Moni- power to pursue the organization’s strategy and direction
toring can be done in two ways: through ongoing activi- in a way that enhances the prospects for the organization’s
ties or separate evaluations. This combination of ongo- long-term success. Assurance processes allow the board
ing monitoring and separate evaluations will ensure that to monitor the exercise of that power.
ERM maintains its effectiveness over time.
The internal audit activity will normally provide assur-
ERM processes incorporate periodic evaluation of risks ance over the entire risk management process, including
and risk ratings. The greater the degree and effectiveness risk management activities (both their design and operat-
of ongoing monitoring, the less the need there may be for ing effectiveness), management of those risks classified
separate evaluations. The frequency of separate evalua- as “key” (including the effectiveness of the controls and
tions necessary for management to have reasonable as- other responses to them), verification of the rigor and reli-
surance about the effectiveness of ERM is a matter of ability of risk assessments, and reporting of the risk and
management’s judgment. In making that determination, control status.
consideration is given to the nature and degree of chang-
es, the competence and experience of the people imple- With responsibility for monitoring and assurance activities
menting risk responses and related controls, the nature traditionally being shared among various parties, includ-
and significance to the business of the risks that are being ing line management, internal auditing, risk management
managed and the results of the ongoing monitoring. specialists, and the compliance function, it is important
that assurance activities be coordinated to ensure re-
Ongoing monitoring is built into the normal, recurring op- sources are used in the most efficient and effective way. It
erating activities of an entity. It can be more effective than is common for organizations to have a number of separate
separate evaluations, because it is performed on a real- groups performing different risk management advisory,
time basis, reacting dynamically to changing conditions, compliance, and assurance functions independently of
and is ingrained in the entity. Problems will often be iden- one another. Without effective coordination and report-
tified most quickly by ongoing monitoring processes since ing, work can be duplicated or key risks may be missed or
separate evaluations take place after the fact. Some enti- misjudged.
ties with sound ongoing monitoring activities will none-
theless conduct a separate evaluation of ERM, or portions The chief audit executive (CAE) is directed by Standard
thereof. The perceived level of objectivity is greater for 2050 to coordinate activity with other assurance provid-
separate evaluations than for self-monitoring. ers. The use of an assurance map can help achieve this,
offering an effective tool to manage and communicate this
An entity that perceives a need for frequent separate coordination. Practice Advisory 2050-2 provides more in-
evaluations should focus on ways to enhance its ongoing formation regarding Assurance Maps.
Internal Auditing and Risk In support of the assurance process, the risk management
process will:
Management • Establish an organization-specific, documented risk
management framework.
Standard 2100 states that “the internal audit activity
must evaluate and contribute to the improvement of gov- • Provide a structured analysis of the risks of the
ernance, risk management, and control processes using a organization recording:
systematic and disciplined approach.” The internal audit m The organizational objective(s) and their
activity often has a role providing independent and objec- associated risks.
tive assurance to the organization’s board regarding the
m Potential exposures and assessments of current
effectiveness of an organization’s ERM activities. This
risk.
helps ensure key business risks are being managed appro-
priately and the organization’s system of internal controls m The organizational position responsible for
is operating effectively and efficiently. managing each risk.
m The key control systems established to manage
Risk management is a management process that pro- each risk.
motes the cost-effective achievement of organizational
objectives; assurance provides reliable information about It is not uncommon for the internal audit activity of an
the achievements of risk management activity. Assurance organization to work in close cooperation with the risk
and risk management are complementary processes. management function. Some organizations do not have a
formal risk management function and, in this case, inter-
In support of the risk management process, internal au- nal auditing often provides more extensive risk manage-
diting and other independent assurance providers would ment consulting services to the organization. Internal au-
assess whether: diting may provide risk management consulting, provided
certain conditions apply:
• The risk management process has been applied
appropriately and all elements of the process are • It should be clear that management remains re-
suitable and sufficient. sponsible for risk management. Whenever internal
auditing consults with the management team to set
• The risk management process is in keeping with the up or improve risk management processes, its plan
strategic needs and intent of the organization. of work should include a clear strategy and timeline
• All significant risks have been identified and are be- for migrating the responsibility for these activities to
ing treated. members of management.
• Controls are being correctly designed in keeping • Internal auditing cannot give objective assurance
with the objectives of the risk management process. on any part of the risk management framework for
• Critical controls are adequate and effective. which it is responsible. Such assurance should be
provided by other suitably qualified parties.
• Review by line management and other nonaudit
assurance activities are effective at maintaining and • The nature of such services provided to the organi-
improving controls. zation should be documented in the internal audit
charter and be consistent with other internal audit
• Risk treatment plans are being executed. responsibilities.
• There is appropriate and as-reported progress in the
risk management plan.
• Any consulting advice or challenge to (or support Although such advisory and consulting activities can be a
of) management’s decision-making does not involve valuable part of an audit plan, the scope of this Practice
internal auditing making risk management decisions Guide focuses on the assurance activities described on
themselves. the left side of the fan. Such activities can be categorized
The IIA Position Paper “The Role of Internal Auditing in in three primary types:
Enterprise-wide Risk Management” includes the follow- • Assurance on the risk management process itself.
ing diagram that illustrates a range of ERM activities and • Assurance on significant risks and management as-
indicates which roles an effective professional internal au- sertions.
dit function should and should not undertake.
• Follow-up of risk treatment plan status.
Internal Audit Review of Risk Assurance on the Risk Management Process

Management Assurance on the risk management process itself can be
performed to provide reasonable assurance to senior man-
For higher risk areas where management has acknowl- agement and the board that an organization’s risk manage-
edged the need to improve controls, there may be an opment program is effectively designed, documented, and
portunity for internal auditing to add value to the organi- operating to achieve its objectives. Potential questions
zation through consulting activities. The middle third of that such assurance should be designed to answer could
audit activities in Figure 2 above represent advisory and include:
consulting activities, delivered at the entity or business • Does the risk management program have adequate
unit/departmental level, in a manner that should maintain commitment from organization management, includ-
internal auditing’s independence and objectivity. ing adequate stature and resources in relation to
M framework
Consolidated rep
Coord
ERM
l
Coa
ova
e nt o f
inatin
c
r
app
hing
developing the ER
hm
g ERM
Fac
te
oard
eti
man
tablis
o
ilit
r ting on r isks
p
ap
ati
b
age
activi
ng
for
isk
i ng e s
s
Re
me
i de
se
r
te gy
v
the
ties
es
ie w
nt i n
nti
ro c
pi o n
stra
g
i ng
fic
ttin
tp
ati
the
r e sp
en
E va
M aintaining and
Cham
s
Se
ERM
isk
on
l ua
m
nr
ge
an
o nd
an
tin o
na
ag
g
nce
i ng
d
the
ma
i ng
em
e va
r ur a
e lo p
e po
en
isk
ass
l ua
to r
to
r tin
gr
E va e nt
D ev
tio
fk
go es
sin
isk s
luat m o ns
ey
fk age
no
i ng r e sp
po
ey
r is
r isk n
Im
isk
fr
r is Ma on r
ks
man
isk
ks
age ns
isio
s
me nt p de c
Giving roce i ng ehalf
assur sse s T ak ent’s b
ance t m
hat r is
on m anage
ks are co
r sp o ns e s
rectly
evalua r isk r e
ted me nting
Giving assurance I m pl e r isk management
o n the r isk manag
ement process A ccountability for
Core internal audit roles Legitimate internal audit Roles internal audit
in regard to ERM roles with safeguards should not undertake
Figure 2 – Internal Audit Role in ERM
risks, and is it an appropriate part of organizational • Are risk treatment plans and status monitored and
processes and decision-making? adequately communicated with appropriate levels of
• Are the risk management framework design and risk management and the board?
evaluation criteria appropriate for the internal and
external context (environment) of the organization? Assurance on Significant Risks and
Management Assertions
• Is there adequate definition and communication of
requirements, risk evaluation criteria, and account- During all other assurance work where the scope relates
ability for the development, implementation, and to higher potential exposures identified in an organiza-
maintenance of the risk management framework and tion’s risk management process, audit procedures and
specific risk area evaluations? communications should be designed to evaluate manage-
ment’s assertions on the effectiveness of controls in bring-
• Is the risk attitude established at the proper level in ing risk within an organization’s risk tolerance threshold.
the governance structure of the organization?
• Are internal communication and reporting mecha- Reports to management (and the board) can describe the
nisms adequate to ensure that key outcomes of the potential exposure and management’s assessment of cur-
risk management activities are communicated appro- rent risks (with the implied value of the controls in place)
priately within the organization (balancing transpar- together with the audit evaluation of the risk ratings. Any
ency with sensitivity)? differences should be fed into management’s risk man-
• Do reports to stakeholders adequately reflect the agement process for consideration.
organization’s attitude to and treatment of risks?
The cumulative effect over time of such assurance activi-
• Are external communication and reporting mecha-
ties over specific risk areas in a risk-based audit plan will
nisms adequate to comply with relevant legal,
provide assurance not only over those specific risk areas,
regulatory, corporate governance, and disclosure
but serve as assurance of the effectiveness of the overall
requirements?
risk management process.
• Do adequate performance measures and reporting
exist to monitor the design and effectiveness of the Follow-up of Risk Treatment Plan Status
risk management framework?
For risk treatment or control remediation plans relating to
• Are risk evaluation criteria, appetites, responses, and higher potential exposures, especially where plans are rel-
escalation/reporting requirements consistently ap- atively longer in duration, it may be appropriate to moni-
plied in practice across the organization? Are people tor performance against the plan. At a minimum, such
with the appropriate knowledge responsible for risk monitoring should be designed to provide management
identification? Is the current state of risk identifica- with an assessment of progress against milestones and
tion adequate? validate risk treatment plan status reports to the board.
• Are the risk framework and related processes and
controls modified as business conditions and organi- In addition, such monitoring can assess the plan struc-
zational needs change? ture, resources, accountabilities, project management,
etc. and provide recommendations and considerations to
• Are people with the appropriate knowledge respon-
enhance the likelihood of plan success.
sible for risk analysis, evaluation, and treatment/
response? Are these activities adequately reviewed
and approved?
Obtaining Audit Evidence analysis and actions taken to remedy issues raised by
risk management processes.
In audits of the risk management process of an organiza- • Determine the effectiveness of management’s self-as-
tion, Practice Advisory 2120-1, Assessing the Adequacy of sessment processes through observations, direct tests
Risk Management Processes, paragraph 8, states: of control and monitoring procedures, testing the
accuracy of information used in monitoring activities,
“Internal auditors need to obtain sufficient and appropri- and other appropriate techniques.
ate evidence to determine that the key objectives of the • Review risk-related issues that may indicate weak-
risk management processes are being met to form an ness in risk management practices and, as appro-
opinion on the adequacy of risk management processes. priate, discuss with senior management and the
In gathering such evidence, the internal auditor might board. If the auditor believes that management has
consider the following audit procedures: accepted a level of risk that is inconsistent with the
organization’s risk management strategy and policies,
• Research and review current developments, trends,
or that is deemed unacceptable to the organization,
industry information related to the business conduct-
refer to Standard 2600 and related guidance for ad-
ed by the organization, and other appropriate sources
ditional direction.”
of information to determine risks and exposures
that may affect the organization and related control
Different techniques can be used to obtain audit evi-
procedures used to address, monitor, and reassess
dence, including:
those risks.
• Observations — for example, by being present when
• Review corporate policies and board minutes to
risk management is carried out at the different levels
determine the organization’s business strategies, risk
of the organization from the board and all the way
management philosophy and methodology, appetite
down to individual departments, programs, projects,
for risk, and acceptance of risks.
and the employees.
• Review previous risk evaluation reports issued by
• Interviews.
management, internal auditors, external auditors,
and any other sources. • Document reviews — for example, agendas,
supporting documents and minutes from board,
• Conduct interviews with line and senior manage-
executive, or other senior management commit-
ment to determine business unit objectives, related
tees, strategic plans, and supporting documents for
risks, and management’s risk mitigation and control
resourcing decisions.
monitoring activities.
• Results from previous audits.
• Assimilate information to independently evaluate the
effectiveness of risk mitigation, monitoring, and com- • Reliance on the work of others.
munication of risks and associated control activities. • Analytical techniques — for example, root cause
• Assess the appropriateness of reporting lines for risk analysis of detected faults.
monitoring activities. • Process mapping.
• Review the adequacy and timeliness of reporting on • Statistical analysis — for example, analysis of the
risk management results. types of incident or “near misses.”
• Review the completeness of management’s risk • Risk model review and assessment.
• Surveys. Audit conclusions should be factual, objective, and

• Analysis of control self-assessment. backed by sufficient audit evidence. Sufficiency implies
the audit evidence is factual, adequate, and convincing so
Often, a combination of different audit techniques will that a prudent, informed person would reach the same
be used to gather sufficient information and evidence conclusions as the auditor. Audit evidence must be
to reach a conclusion. The auditor selects the most appropriately documented and organized.
appropriate procedure for the audit objective of the
assignment. The auditor also assesses whether sufficient The audit activity must not unknowingly provide any level
resources and skills are available to perform all the work of false assurance (reference PA 2120-2: Managing the
required to provide sufficient support for an opinion. The Risk of the Internal Audit Activity, paragraph 8). “False
auditor considers whether it might be prudent to decline assurance” is a level of confidence or assurance based on
to express the opinion or to qualify the opinion by exclud- perceptions or assumptions rather than fact. In many
ing certain areas or risks from the scope of the opinion if cases, the mere fact that the internal audit activity
sufficient resources or skills are not available. is involved in a matter may create some level of false
assurance. The scope of internal audit activity involve-
The requirement for evidence will vary depending on ment may be misunderstood and, consequently, false
the kind of opinion the auditor wishes to render. Posi- assurance may result.
tive assurance provides the highest level of assurance
and normally also requires the most evidence to sup-
port the opinion. Such an opinion implies not only, for
Assurance of the Risk
example, whether controls/risk mitigation processes are Management Process
adequate and effective, but also that sufficient evidence
A governing body should be able to determine the extent
was gathered to be reasonably certain that evidence to the
to which the risk management process in its organization
contrary, if it exists, would have been identified.
meets the needs of the organization and has adopted gen-
erally accepted good practice. Risk management is a criti-
Negative assurance does not provide as much assur-
cal component of the system of internal control, so defi-
ance and therefore normally does not require as much
cient risk management processes are an indicator that the
audit evidence. When rendering negative assurance, the
organization’s system of internal control may be deficient.
auditor, for example, states that based on the work done,
nothing came to the auditor’s attention. By rendering
It is important that an organization obtains assurance
such an opinion, the auditor takes no responsibility for
on its risk management process. This assurance must ac-
the sufficiency of the audit scope and procedures to find
commodate the possibility that the internal auditor might
all significant concerns or issues. Such an opinion is gen-
not be functionally independent of the risk management
erally considered less valuable than positive assurance.
function. In this case, assurance may be sought from an
external party.
More extensive guidance on opinions can be found in
the Practice Guide “Formulating and Expressing Internal
Three forms of assurance process that may be used in
Audit Opinions.”
assessing a risk management process are outlined below:5�
These approaches are quoted from HB158:2010 Delivering assurance based on ISO 31000:2009 Risk management — Principles and guidelines, A joint publication of Standards
5
Australia, IIA-Australia, and the IIA Research Foundation. HB158 provides a more extensive discussion of these and other issues.
• Process elements approach tion and consultation with those who are affected by
• Key principles approach the operations of the organization or activity.
• Maturity model approach • Element 2 – Setting the Context: The external en-
vironment (political, social, etc.) and internal envi-
While each form is self-contained, they each offer a differ- ronment (objectives, strategies, structures, ethics,
ent perspective on the effectiveness of a risk management discipline, etc.) of the organization or activity must
process in an organization. Often, the adoption of more be understood before the full range of risks can be
than one approach can yield the most informative and use- identified.
ful results. The risk management process should be ap- • Element 3 – Risk Identification: Identifying the risks
propriately tailored to the organization, its size, culture ob- should be a formal, structured process that considers
jectives, and risk profile. Therefore, the assurance process sources of risk, areas of impact, and potential events
also needs to be tailored to the organization’s needs. and their causes and consequences.
• Element 4 – Risk Analysis: The organization should
The results of any desk-based review must be validated use a formal technique to consider the consequence
by examining whether the risk management framework is and likelihood of each risk.
operating effectively in practice. This means that this type
of assurance activity should not be conducted in isolation • Element 5 – Risk Evaluation: The organization
and should always accompany or involve normal control- should have a mechanism to rank the relative impor-
based assurance that determines whether: tance of each risk so that a treatment priority can be
established.
• Risks are being effectively identified and appropri-
ately analyzed. • Element 6 – Risk Treatment: Sound risk manage-
ment requires rational decisions about risk treat-
• There is adequate and appropriate risk treatment and ment. Classically, such treatment is to avoid the
control. activity from which the risk arises, share the risk,
• There is effective monitoring and review by manage- manage the risk by the application of controls, or ac-
ment to detect changes in risks and controls. cept the risk and take no further action.
• Element 7 – Monitor and Review: Monitoring
Process Element Approach includes checking the progress of treatment plans,
This approach checks whether each element of the risk monitoring controls and their effectiveness, ensuring
management process is in place. It is essential to validate that proscribed activities are avoided, and checking
management’s expressions of intent through sufficient that the environment has not changed in a way that
audit evidence to substantiate that the element is being affects the risks.
satisfied in practice. Management representation alone
would rarely be sufficient. ISO 31000 identifies seven Key Principles Approach
components of the risk management process: This approach is based on the concept that to be fully
effective, any risk management process must satisfy a
• Element 1 – Communication: Sound risk manage- minimum set of principles or characteristics. ISO 31000
ment requires structured and ongoing communica-
© ISO. This material is reproduced from either ISO 31000:2009 or ISO Guide 73:2009 with permission of the American National Standards Institute (ANSI) on behalf of the
6
International Organization for Standardization (ISO). No part of this ISO material may be copied or reproduced in any form, electronic retrieval system or otherwise made available on the
10036, (212) 642-4900, http://webstore.ansi.org.
Ibid.
7
includes a section (Clause 4) on these principles. An au- appropriate to the competence and culture of those
dit based on these principles would assess to what extent who must use them.
they are true for the risk management process in an orga- • Risk management is transparent and inclusive.14
nization: There should be appropriate and timely involvement
• Risk management creates and protects value.6� of stakeholders.
This implies the application of the most rigorous risk • Risk management is dynamic, iterative, and
management when the value at stake is highest. It responsive to change.15 � The process should be
also suggests that a range of techniques applicable at regularly reviewed and respond to changes in the
various levels of exposure should be available in the organization and its environment so that it remains
organization. relevant.
• Risk management is an integral part of organi- • Risk management facilitates continual im-
zational processes.7� Risk management should not provement and enhancement of the organiza-
be seen as an add-on task. tion.16 � Risk management should mature along with
• Risk management is part of decision-making.8 other organizational processes.
� The more important the decision, the more explicit
this association should be. Maturity Model Approach
• Risk management explicitly addresses uncer- The maturity model approach builds on the assertion that
tainty.9 � Risk assessments would be expected to the quality of an organization’s risk management process
document areas of uncertainty and consider how should improve with time. Immature systems of risk man-
best to address the uncertainty identified. agement yield very little return for the investment that has
• Risk management is systematic, structured, been made and often operate as a compliance overhead or
and timely.10 � an imposition, more concerned with the reporting of risks
than with their effective treatment. Effective risk manage-
• Risk management is based on the best avail- ment processes are developed over time, with additional
able information.11 Obtaining information can be value being provided at each step in the maturation pro-
expensive and the process should provide guidance cess. This approach provides an assessment of where the
on what constitutes sufficient information. organization’s risk management process lies on the matu-
• Risk management is tailored.12� It is not an out- rity curve, so that the board and management can assess
of-the-box process and must match the operations of whether it meets the current needs of the organization
the organization. and is maturing as expected.
• Risk management takes human and cultural
factors into account.13� The processes must be A key aspect of the Maturity Model approach is the link-
ing of risk management performance and progress in the
8
© ISO. This material is reproduced from either ISO 31000:2009 or ISO Guide 73:2009 with permission of the American National Standards Institute (ANSI) on behalf of the Inter-
national Organization for Standardization (ISO). No part of this ISO material may be copied or reproduced in any form, electronic retrieval system or otherwise made available on the
10036, (212) 642-4900, http://webstore.ansi.org.
9
Ibid.
10
Ibid.
11
Ibid.
12
Ibid.
13
Ibid.
14
Ibid.
15
Ibid.
16
Ibid. www.theiia.org/guidance / 11
execution of a risk management plan to a performance Clause 4 of ISO 31000 contains a list of practical and
measurement and management system. The outputs from important “principles” that should be the starting point
such a system can be presented to senior management and for any maturity evaluation. These principles address not
the board as evidence of improvement in risk management. only “does the process element or system exist” but also “is it
The components for such a system normally consist of: effective and relevant for your organisation” and “does it add
• A protocol of performance standards, considering value.” In fact, the first principle is that risk management
current approaches to risk management and antici- must add value.
pating future strategic needs. Performance standards
are normally supported by a list of more detailed Actual performance against each performance standard
performance requirements that enable measurement is assessed using some system of maturity measurement
of any improvement in performance. that gives credit for intent, but full scores can only be ob-
tained by the complete implementation and practical ap-
• A guide to how the standards and sub-requirements plication of the standard. A possible system for measuring
can be satisfied in practice. maturity (based on the original idea of Capability Matu-
• A means of measuring actual performance against rity Models developed by the Carnegie Mellon University)
each standard and sub-requirement. is shown below.
• A means of recording and reporting performance and
improvements in performance.
• The periodic independent verification of manage-
ment’s assessment.
Measure None Very Little Some Good Complete

Meaning Very little or no Only limited Limited compliance Management Absolute compliance
compliance with the compliance with the with element state- completely with the element
requirement in any requirement. ment. Certainly agree subscribes to the statement — in intent
way. Management with the intent, but intent, but there is and in practice — at
supports the intent, limited compliance in partially complete all times and in all
but compliance in practice. compliance in places.
practice is poor. practice.
Figure 3 ‑ Maturity Model – source HB158
Assessing the Quality of Risk • Necessary infrastructure for communicating risk

information is in place.
Management Documentation • There are common definitions.
The extent of documentation of an entity’s ERM will vary • There are guidelines for the creation, deletion, and
with the entity’s size and complexity. Larger organizations sharing of risk information.
usually have written policy manuals, formal organization • There are adequate resources assigned.
charts, written job descriptions, operating instructions,
• Technology is cost efficient and used where
information system flowcharts, and so forth. Smaller, less
appropriate.
complex organizations typically have considerably less doc-
umentation. • A proactive approach is taken for monitoring.
• Risk information is part of the planning process.
Many aspects of ERM may be informal and undocument-
• Risk information is integrated with performance
ed and yet can be regularly performed and highly effec-
information.
tive. These activities may be tested in the same ways as
documented activities. The fact that elements of ERM are
These considerations and any decisions made to imple-
not documented does not necessarily mean that it is not
ment activities/processes should be documented. Such
effective or cannot be evaluated. An appropriate level of
documentation may be useful if the statement is subse-
documentation, however, usually makes monitoring more
quently challenged.
efficient. It is helpful in other respects too. It facilitates
employees’ understanding of how the process works and
their particular roles, and makes it easier to make modifica-
tions when necessary.
In deciding to document the evaluation process itself, the

internal auditor will usually draw on existing documenta-
tion of the entity’s ERM processes. Existing documentation
will typically be supplemented with additional documents
prepared by the auditor, including evidence of the tests and
analyses performed in the assessment process. The nature
and extent of documentation normally is more substantive
when statements about ERM are made to other parties.
When management intends to make a statement to exter-

nal parties regarding ERM effectiveness, it should consider
developing and retaining documentation to support the
statement. The internal auditor should consider whether:
• A strategy for managing risk information from all
sources is in place.
Authors
Andrew MacLeod, CIA
Patricia A. MacDonald
Benito Ybarra, CIA
Trygve Sorlie, CIA, CCSA
Brian Foster, CIA
Teis Stokka, CIA
Reviewers and Contributors

Douglas J. Anderson, CIA
Steven E. Jameson, CIA, CCSA, CFSA
James A. Rose, III, CIA
Established in 1941, The Institute of Internal The IIA publishes this document for information-
Auditors (IIA) is an international professional as- al and educational purposes. This guidance mate-
sociation with global headquarters in Altamonte rial is not intended to provide definitive answers
Springs, Fla., USA. The IIA is the internal audit to specific individual circumstances and as such
profession’s global voice, recognized authority, ac- is only intended to be used as a guide. The IIA
knowledged leader, chief advocate, and principal recommends that you always seek independent
educator. expert advice relating directly to any specific situ-
ation. The IIA accepts no responsibility for any-
About Practice Guides one placing sole reliance on this guidance.
detailed processes and procedures, such as tools The copyright of this position paper is held by The
and techniques, programs, and step-by-step ap- IIA. For permission to reproduce, please contact
proaches, as well as examples of deliverables. The IIA at guidance@theiia.org.
Practice Guides are part of The IIA’s Internation-
al Professional Practices Framework. As part of
the Strongly Recommended category of guidance,
compliance is not mandatory, but it is strongly
recommended, and the guidance is endorsed by
The IIA through formal review and approval pro-
cesses. For other authoritative guidance materials
provided by The IIA, please visit our website at
www.theiia.org/guidance.

247 Maitland Ave. F: +1-407-937-1101
Altamonte Springs, FL 32701 USA W: www.theiia.org
Assisting Small
Internal Audit Activities
In Implementing the
International Standards for
the Professional Practice
of Internal Auditing
APRIL 2011
Assisting Small Internal Audit Activities
in Implementing the Standards
Table of Contents
Executive Summary . ..........................................................................................................................3
Introduction........................................................................................................................................4
Definition of a Small Internal Audit Activity ......................................................................................6
Key Challenges Faced by Small Internal Audit Activities in Implementing IIA Standards . ...................6
Guidance for Implementing the Standards .........................................................................................8
Conforming With Standard 1000 – Purpose, Authority and Responsibility .........................................8
Conforming With Standard 1100 – Independence and Objectivity . ....................................................9
Conforming With Standard 1200 – Proficiency and Due Professional Care ......................................11
Conforming With Standard 1300 – Quality Assurance/Improvement Program .................................13
Conforming With Standard 2000 – Managing the Internal Audit Activity..........................................15
Conforming With Standard 2100 – Nature of Work . ........................................................................17
Conforming With Standard 2200 – Engagement Planning ...............................................................18
Conforming with Standard 2300 – Performing the Engagement.......................................................20
Conforming with Standard 2400 – Communicating Results . ...........................................................22
Conforming with Standard 2500 – Monitoring Progress ..................................................................24
Conforming with Standard 2600 – Management’s Acceptance of Risk ............................................25
Reliance on the Work of Small Audit Activities by External Auditors .................................................26
Appendix A – Template to Facilitate Determination of Gaps in Conformance with the Standards.......29
Executive Summary The CAE of a small audit activity should assess the cur-
rent level of conformance to each standard to determine
The International Professional Practices Framework gaps in conformance to the overall Standards. (A template
(IPPF) and underlying International Standards for the is provided in Appendix A.) Upon identification of gaps,
Professional Practice of Internal Auditing (Standards) pro- the CAE should develop a plan to fully conform to the
vide the chief audit executive (CAE) and internal audit Standards based on guidance in this practice guide and
leadership a framework and related guidance to use in other IPPF guidance. It is important for the CAE to in-
evaluating and ensuring the effectiveness of the internal corporate elements of the Standards into the internal audit
audit activity. The Standards also provide internal audit- activity’s vision, mission, and charter. Further, it is critical
ing’s stakeholders a basis for evaluating the activity’s ef- that the CAE clearly communicates the activity’s vision,
fectiveness. The Standards are applicable to all internal mission, and charter to key stakeholders.
audit departments regardless of size, level of resources,
complexity, or objective and scope.
This practice guide provides a working definition of the

term small internal audit activity. The guide acknowledges
Introduction
the challenges that CAEs and audit leadership in small The IIA is pleased to present this practice guide to assist
audit activities may face in implementing the Standards, small internal audit activities in implementing the Inter-
provides suggestions for meeting those challenges, and national Standards for the Professional Practice of Internal
discusses the benefits of using the Standards. Many of Auditing (Standards).
the challenges discussed in this guide are not unique to
small audit activities; larger activities may face many of The scope of work performed by today’s practitioners is
the same challenges. However, these challenges are more broad and varied. There is a heightened need for concise
frequently encountered and more difficult to overcome in guidance that can be adopted and followed readily, regard-
small audit activities. less of the industry, audit specialty, or sector. The IIA’s
International Professional Practices Framework (IPPF)
Although the CAE of a small internal audit activity is re- provides practical guidance in the form of Standards,
sponsible for ensuring implementation of all Standards, Practice Advisories, Practice Guides, and Position Papers.
the degree of challenge for conformance to each stan- Within the IPPF is mandatory guidance and strongly rec-
dard may vary among small activities. The chart in the ommended guidance. This practice guide is intended to
Introduction provides a visual summary of the degree of serve as strongly recommended guidance for use primarily
challenge that the CAE may face in conforming to the by small internal audit activities.
Standards. The chart is based on informal discussions
with small audit groups and also amongst the members This practice guide provides specific examples and lead-
of The IIA’s committees. Although conformance with the ing practices, relevant to the CAE and audit management
Standards may pose challenges, it is possible with the de- of small internal audit activities, on how to best approach
velopment of appropriate strategy and planning. The Stan- implementation of the Standards.
dards are principles-based and are meant to be applicable
to internal audit activities of all sizes.
The guide provides information in the following format:
IIA Standard Definition of each standard
Challenges Likely challenges small internal audit activities face in conforming to The IIA’s Standards.
Guidance Recommended guidance on conforming to The IIA’s Standards.
Small internal audit activities should conform to all IIA standards. Appendix A provides a template for mapping, including
a list of the Standards.
Standard # Standards Title Degree of Challenge
1000 Purpose, Authority, and Responsibility L
1100 Independence and Objectivity H
1200 Proficiency and Due Professional Care M
1300 Quality Assurance / Improvement Program H
2000 Managing the Internal Audit Activity H
2100 Nature of work M
2200 Engagement Planning H
2300 Performing the Engagement H
2400 Communicating Results M
2500 Monitoring Progress M
2600 Management’s Acceptance of Risks M
Indications of likely degree of challenge:

Green – Low degree of challenge
Amber – Medium degree of challenge
Red – High degree of challenge
Definition of a Small Internal difficult to achieve due to inability to fund an external

assessment. Additionally, large investments in innova-
Audit Activity tion or automation for the internal audit activity may not
be permissible within constrained budgets. For each of
The views of internal audit practitioners globally vary on the following standards, suggestions are provided to as-
the criteria for defining an internal audit activity as small. sist the CAE in achieving conformance, despite potential
The criteria are affected by the characteristics of the in- limitations.
ternal audit activity — role and purpose, maturity, country
and culture, and the global or local nature of the organiza- Retention of Qualified Staff or Subject
tion in which it operates. Matter Experts
Small internal audit activities may have difficulty attract-
For purposes of this guide, several common elements have
ing, hiring, or engaging subject matter specialists (i.e.,
been considered as being related to a small audit activity.
specialists to execute audits that relate to the complex
Typically, a small internal audit activity will have one or
risks facing the organization). For example, technology au-
more of these characteristics:
dits and audits of specialized industries may be more dif-
ficult to staff adequately if budget constraints are present
• One to five auditors.
or the necessary expertise to perform these audits does
• Productive internal audit hours below 7,500 a year. not reside within the department. For the CAE and audit
• Limited level of co-sourcing or out-sourcing. leadership, recruitment and retention of qualified staff or
specialists is critical as small audit activities often lack the
Being small does not equate to being ineffective or under traditional hierarchies of management staff and attractive
resourced. In many circumstances, a small internal audit compensation packages associated with larger audit ac-
activity is appropriately structured for the size and risks tivities. Conversely, a small activity may attract more expe-
attributable to the business it serves. rienced auditors who would welcome the opportunity to
work with less hierarchy and/or the ability to make more
However, smaller audit activities may have challenges not direct contributions to the audit group.
typically faced by larger audit activities that have greater
economies of scale. Independence
Small audit activities also may have challenges with inde-
Key Challenges Faced by pendence and objectivity due to the reporting structure
Small Internal Audit Activities in of the activity, newness of the activity, closer associations
with management, weaker organizational governance, and
Implementing IIA Standards the existence of additional responsibilities outside of the
core activity.
Adequacy of Resources
Limited resources impact the small internal audit activ-
ity’s ability to conform to many IIA Standards. For ex-
ample, the Quality Assurance and Improvement Program
standard that requires internal assessments periodically
and external assessments at least every five years may be
Guidance for Implementing documentation of all communications with the board and
senior management pertaining to the internal audit activ-
the Standards ity’s charter, policies, and procedures.
Conforming With Standard 1000 – Conforming With Standard 1100 –

Purpose, Authority and Responsibility Independence and Objectivity
Standard: Standard:
The purpose, authority, and responsibility of the internal The internal audit activity must be independent, and in-
audit activity must be formally defined in an internal audit ternal auditors must be objective in performing their work.
charter, consistent with the Definition of Internal Audit-
ing, the Code of Ethics, and the Standards. The CAE must Challenge:
periodically review the internal audit charter and present
it to senior management and the board for approval.1 Degree of Challenge HIGH
Challenge: Difficulties with reporting levels and organizational struc-

ture are not unique to small internal audit activities. How-
Degree of Challenge LOW
ever, individual independence and objectivity of auditors
in a small activity, and particularly within a smaller orga-
Conformance with this Standard is not dependent upon nization, can be challenged as these auditors may be giv-
the size of the audit activity and should present no unique en operational responsibility for other activities, such as
challenges for the small audit activity. records management, compliance activities, IT security,
investor relations, risk management, or other finance and
Guidance: accounting activities. Additionally, auditors in a smaller
The CAE should discuss the requirement for a charter organization often establish closer relationships with other
with the board and appropriate senior management, thor- members of the management team, creating the percep-
oughly explaining the purpose of the internal audit char- tion that a conflict of interest may be present. The depart-
ter and the benefits provided to the organization from the ment’s organizational reporting structure may also impair
charter’s adoption. It is important for the CAE to incor- its independence or objectivity, depending on the nature
porate elements of the Standards into the internal audit of the reporting relationships. For example, the CAE may
activity’s vision, mission, and charter. Further, it is critical not functionally report to the board or to a member of the
that the CAE clearly communicate the activity’s vision, executive team. Instead, the CAE may report to an indi-
mission, and charter to key stakeholders. The CAE must vidual who performs, or who has direct responsibility for,
periodically (e.g., annually) review and assess the contents areas that are the subject of audits.
of the charter, and the policies and procedures, to ensure
the content is relevant and continues to add value to the Guidance:
organization. These reviews must be communicated to the It is imperative that the CAE maintain open communica-
board and senior management. The board should annually tion with the board and senior management concerning
review and approve the charter. The CAE should maintain the importance of auditor independence and objectivity.
1
For purposes of this Practice Guide, the Interpretations to the Standards, and often the layers of Standards beyond the top one in a category, are not included. The reader is referred to the
full Standards to understand fully the requirements and meanings of each of the Standards, including their introduction, interpretations and glossary.
The difficulties involved with auditing those areas over Conforming With Standard 1200 –
which auditors may have been given operational responsi- Proficiency and Due Professional Care
bility should be fully explained. The CAE should present
Standard:
various alternatives for how those areas might be audited,
Engagements must be performed with proficiency and
including the use of external resources. For example, with
due professional care.
sufficient resources in the internal audit function, only
those auditors who are not directly responsible for the op-
Challenge:
erational area or an outside service provider could perform
the audit, and the results could be communicated to both Degree of Challenge MEDIUM
the CAE and another member of management external
to the function. If this solution is not practical, then the
impairments and other auditing alternatives should be in- The challenges faced in conforming to this series of Stan-
cluded in the CAE’s risk assessment for the audit plan, dards are compounded in a small internal audit activity with
and discussed with the board and senior management. limited resources as the activity may not be able to hire the
personnel or third-party specialists required to perform the
In organizations where close working relationships are an work (due to budget limitations) or may not be able to in-
expectation, the work of the internal audit function should vest in training for current staff to gain these skills.
always be performed with objectivity and independence in
mind. The CAE or audit leadership should clearly com- Guidance:
municate to the board and senior management engage- When striving to perform engagements proficiently and
ment scope and basis for conclusions. The CAE and other with due professional care, the emphasis is on deploying
auditors should continue to reinforce the importance of qualified resources. Although supervision of engagements
auditor independence and objectivity (at the organization is expected, the CAE should seek auditors with sufficient
or engagement level). experience who may not require extensive supervision.
Additionally, the CAE could also ensure that those audi-
Overall, the CAE should discuss these challenges, as well tors with limited experience are performing engagements
as the challenges resulting from organizational reporting commensurate with their experience. Overall, the CAE
structures, with the board and appropriate level of senior should seek resources with experience and knowledge
management. Such communication should be made in that are complementary to the skills necessary to execute
conjunction with establishing the audit plan and more fre- the audit plan.
quently if warranted based on engagements performed or
to be performed. However, the CAE should use caution to The CAE may need to determine if an internal, external,
ensure that such communications are not perceived as ex- or mixed staffing model would best serve the needs of the
cuses or impediments to performing certain audits. When internal audit activity and the organization. Opportunities
issuing a report where independence or objectivity could to leverage other organizational resources may exist. Such
not be achieved satisfactorily, the CAE has the obligation opportunities could allow internal auditing to guide and
to disclose this fact in the audit report including reason(s) supervise the efforts of nonaudit staff members who have
and related impact. the relevant knowledge and objectivity to perform specific
engagements. In many cases, the nature of engagements
to be performed may imply the need to engage specialists
within or external to the organization.
In addition, the CAE may consider: Challenge:
• Using a formal process that is well-organized and Degree of Challenge HIGH

documented.
• Seeking guidance from peers. Financial resources may limit the ability to perform an ex-
ternal or internal quality assessment (QA) in accordance
• Using reference materials such as books, audit
with the Standards. The performance of an internal QA
programs, internal control questionnaires (ICQs),
also may be challenging due to time and staff constraints
templates, regulatory guides and manuals, etc.
and lack of suitable independent reviewers.
When training resources — either time or funds — are
limited, the internal audit activity should leverage training Guidance:
that is provided free of cost or low cost (e.g., Web-based When scheduling internal assessments, small internal au-
training, local IIA training). The CAE also should ensure dit activities may need to consider greater involvement of
that training attended by one member of the audit activity those with suitable knowledge of internal audit practice.
is discussed with other members of the activity. The CAE CAEs oversee such assessments; however, individuals
should maximize the use of the services and resources of performing these assessments may also include resources
local professional associations and organizations. Oppor- within the organization who have prior audit experience
tunities also may exist to partner with functional groups or who are specifically trained to perform QAs. Quality
within the organization or other internal audit activities in should be integrated into the audit process. For example,
securing training of mutual interest at competitive rates. audit review should be embedded as a part of each au-
dit and obtaining feedback from stakeholders through
The CAE also may consider reaching out to CAEs of larg- surveys or documented discussions should be part of the
er internal audit activities in the local area to explore joint audit routine. The annual review of audit templates, etc.
training and to their external auditors to explore technical also may be part of the internal assessment and improve-
accounting/controls training. ment program.
Conforming With Standard 1300 — The format and length of such assessments should facili-
Quality Assurance/Improvement Program tate review and completion. The better defined the expec-
Standard: tations for components of the internal audit activity, the
The CAE must develop and maintain a quality assurance extent of documentation, etc., the easier it will be to clear-
and improvement program that covers all aspects of the ly measure performance against these expectations. Use
internal audit activity. of checklists outlining these defined expectations simpli-
fies this internal assessment process. Checklists and tools
1310 - The quality assurance and improvement program available from The IIA’s Quality Assurance Manual sup-
must include both internal and external assessments. port the timely and cost-effective completion of these as-
sessments.
1321 - The CAE may state that the internal audit activity
conforms with the International Standards for the Profes- For the small internal audit activity, internal self-as-
sional Practice of Internal Auditing only if the results of sessments should be performed at least annually. More
the quality assurance and improvement program support frequent self-assessments are encouraged as permissible
this statement. by organization or department constraints. These internal
assessments should be documented to help facilitate the Definition of Internal Auditing and the Standards.
external assessment. • The individuals who are part of the internal audit
activity demonstrate conformance with the Code of
External assessments must be conducted at least once Ethics and the Standards.
every five years by a qualified, independent reviewer or
review team from outside the organization. The small in- Challenge:
ternal audit activity may use external peer organization
reviews to satisfy the above standard. To facilitate such Degree of Challenge HIGH
reviews, the CAE can engage other internal audit activi-
ties of similar size or of similarly sized organizations to The CAE of a small internal audit activity could have dif-
participate in such reviews. Organizations also can coor- ficulty demonstrating that the activity adds value to the
dinate with local IIA chapters/institutes to identify partic- organization if the priorities of the department differ from
ipants. For example, four similar-sized organizations may management’s perspective. If internal auditing’s mission
perform external assessment of each other in a manner is focused on auditing the effectiveness of the control en-
that no two organizations review each other. Arranging vironment, while senior management or the board views
this type of bartered peer review enables the small audit cost recovery efforts to be a better value-added activity,
activity to reduce third-party assessments fees, though then conflict can arise.
there will be opportunity costs of use of company staff.
The CAE will need to consider the qualifications and in- In addition, if the internal audit activity is overworked,
dependence of the peer reviewer and appropriateness of or is frequently called on to perform ad hoc engagements
review frequency. Another option for external assessment at the request of management, the internal audit charter
is a self-assessment with external validation by an inde- may not be fulfilled. In this case, internal auditing risks
pendent firm. This is a means to lower the cost. becoming just another support function within the orga-
nization, and the objectivity and purpose of the activity
Finally, the CAE must communicate the results of the can be compromised.
quality assurance and improvement program to senior
management and the board. Guidance:
Toward the attainment of the organization’s objectives, it
Conforming With Standard 2000 – is important that the internal audit charter clearly sets
Managing the Internal Audit Activity forth the mission of the department and that the charter
Standard: is endorsed by senior management and approved by the
The CAE must effectively manage the internal audit board. The CAE should invest the appropriate time need-
activity to ensure it adds value to the organization. The ed to educate the stakeholders on the purpose of internal
interpretation of this standard further provides that the auditing and the value that can accrue to the organization
internal audit activity is effectively managed when: when governance, risk management and controls are ap-
propriately designed and operating effectively.
• The results of the internal audit activity’s work
achieve the purpose and responsibility included in The CAE should periodically solicit feedback from key
the internal audit charter. stakeholders to ensure the activity continues to per-
form value-added audits and that the audit plan remains
• The internal audit activity conforms with the
aligned with the strategic objectives and key risks facing
the organization (due to proximity with the stakeholder, it operate as intended, increasing the risk of the organization
may be easier to solicit feedback in a small internal audit failing to achieve success.
activity environment). If the internal audit activity’s mis-
sion is aligned with the organization’s strategic objectives, If the small audit activity is operating within a larger or
it is likely that this standard will be met. more established organization, the governance, risk man-
agement, and control processes may be more mature. In
Elements of a well-managed function such as risk-based this case, the challenge could shift to ensuring that the
planning, timely and effective communication to key roles and responsibilities of internal auditing are clearly
stakeholders, well-established policies and procedures, communicated to avoid duplication of effort among these
and effective coordination with other assurance providers processes or gaps in assigning ownership for the processes.
are the same for large and small audit organizations. The
level of formality of these elements varies based on the The limited size of the audit activity may make it difficult
needs of the organization and the size of internal auditing. for internal auditing to cover all mandated areas in the
The factors that resulted in the need for a small internal 2100 section of the Standards.
audit activity are likely the same factors that allow for less
formality in the method of conformance with the Stan- Guidance:
dards. The CAE should continue to focus on a risk-based Whether the small internal audit activity is operating
audit plan that can be supported by available resources. within a small or large organization, internal auditing is
Also, appropriate communication should be made to the expected to contribute to the improvement of governance,
stakeholders regarding those audit areas that cannot be risk management, and control processes simply through
accomplished due to resource limitations. the completion of its work.
Conforming With Standard 2100 – A clear definition of the roles and responsibilities of the
Nature of Work board, management, and internal auditing with respect to
governance, risk, and control processes would help to en-
Standard: sure the appropriate attention and resources are assigned
The internal audit activity must evaluate and contribute to those areas. The CAE may include a few questions on
to the improvement of governance, risk management, and key issues and internal audit roles for discussion with the
control processes using a systematic and disciplined ap- audit committee, documenting the response. It is impor-
proach. tant for the internal audit activity to remain focused on
evaluating the effectiveness of these areas, however, as
Challenge: management remains responsible for designing and im-
plementing effective governance, risk management, and
Degree of Challenge MEDIUM control processes. The CAE should ensure that consult-
ing engagement objectives are consistent with the overall
values and goals of the organization.
If the small internal audit activity is operating within a
small organization, the governance, risk, and control pro-
cesses may still be evolving. Internal auditing may be one The internal audit activity should use its risk-based audit
of the groups with the skill sets to perform these func- approach to ensure adequate focus on all areas mandated
tions or may have responsibility for many of the functions by the Standards. The depth, frequency, and nature of au-
supporting governance, risk, and control. Furthermore, dit work should be modified based on the risk of the area
controls may not be adequately designed or may not and available level of resources.
Conforming With Standard 2200 – onset of an engagement and are specific to underly-
Engagement Planning ing issues triggering it.
Standard: • Defining engagement scope — Identifies techni-
Internal auditors must develop and document a plan for cal requirements, objectives, risks, processes, and
each engagement, including the engagement’s objectives, transactions to be examined. This component also
scope, timing, and resource allocations. considers the nature and extent of testing required.
• Defining engagement audience — Identifies how,
Challenge: when, and to whom engagement results will be
communicated. This includes reporting subsequent
Degree of Challenge HIGH
changes that affect the timing or reporting of en-
gagement results.
A key component of planning is the performance of a
These three components should drive many of the factors
preliminary assessment of the risks relevant to the area
that are considered at the planning stage such as:
under review. Applicable engagement objectives should
reflect the results of the preliminary risk assessment. The
• Engagement duration and key due dates.
ability to perform such an assessment may be impacted
by the skill level of the staff/specialist and time available • Engagement staffing.
to appropriately assess such risks. Additional challenges • Extent of documentation (e.g., for use in recurring
may lie in the degree to which engagement planning is engagements).
formalized and documented.
Engagement scope should specifically consider relevant
risks. To allow small audit activities to gather meaning-
Guidance:
ful information about engagement-specific risks, internal
The CAE should develop planning considerations in the
auditing should leverage the following related to the areas
form of checklists for common engagement types. Clas-
under audit, if available:
sification of engagements on the basis of criteria such as
risk or complexity, number of planned hours, level of staff
• Management’s own risk self-assessments or ques-
assigned to the engagement, and intended audit report
tionnaires for the engagement area.
users/audience may better define degree of formality, de-
tail, and duration of engagement planning. Classification • Management’s related process narratives or flow-
of engagements also may drive who may perform related charts.
planning. • Management’s related internal reporting.
• Information regarding management’s risk tolerances
Three key components of the planning process are:
or appetite (could include SWOT analysis and/or
results of external consulting activities).
• Defining engagement objectives — Identifies the
purpose of the engagement and includes a prelimi- • Internal auditing’s independent risk inventory.
nary assessment of risk. For planned engagements, • Internal auditing’s evaluation of historic internal or
the objectives are aligned with those initially identi- external audit findings.
fied during the risk assessment process and are often
• Internal auditing’s review of prior internal audit
driven by the internal audit plan. For unplanned
reports or working papers.
engagements, the objectives are established at the
• Management surveys that may provide insights. Challenge:

• Review of the organization’s strategic plan, budget,
Degree of Challenge HIGH
regulatory filings, internal management communica-
tions, independent consideration of market/inherent
risks by internal auditing, etc. The CAE may not be able to supervise all engagements
as he or she may be performing some engagements in ad-
• Review of regulatory compliance programs
dition to supervising. Additionally, many smaller activities
(e.g., US Sarbanes-Oxley Act) and results where
using manual workpapers may be challenged by the need
applicable.
to maintain evidence of engagement supervision. Time to
• Others. develop staff and related supervisory skills may be lim-
The higher the associated risk of an engagement, the ited. An additional challenge may be that the CAE is so
greater the formality and documentation needed to sup- involved in the engagement that it does not receive suf-
port engagement planning. ficient independent review.
Additionally, development of work program templates The small audit activity also may lack the quantity
by engagement type will lessen the time staff needs to and quality of experienced auditors needed to easily iden-
complete engagements and will also ensure that engage- tify sufficient, reliable, relevant, and useful information
ment objectives are appropriately incorporated into the to achieve the engagement’s objectives. Additionally,
work performed. The CAE should revisit such templates workload and related challenges may limit staff ’s ability to
at least annually to ensure that work required is relevant base engagement conclusions upon appropriate analy-
and appropriate in the context of the audit plan. The CAE ses and evaluations of information during engagement
should specifically ensure that sampling methods and req- performance.
uisite analysis supporting engagement execution and con-
clusion are approved before the engagement begins. The Guidance:
most experienced auditors should lead the completion of Engagement Performance and Review
the most complex work programs where possible.
CAEs are encouraged to take a more involved role in
high-risk or complex engagements performed by internal
Conforming with Standard 2300 –
auditing.
Performing the Engagement
Standard: For complex engagements, the CAE may need to be en-
Internal auditors must identify, analyze, evaluate, and gaged and oversee the progress of the engagement at rou-
document sufficient information to achieve the engage- tine intervals or if possible at key stages of engagement
ment’s objectives. completion. However, within such engagements, it is pos-
sible that more experienced audit staff can review areas of
2340 - Engagements must be properly supervised to en- lower risk and complexity under the CAE’s supervision.
sure objectives are achieved, quality is assured, and staff
is developed. For engagements performed by the CAE that are of lower
risk, review of the CAE’s work by experienced audit staff
within the function may be suitable provided such review
is documented. For complex engagements performed by
the CAE, peer reviews are recommended. The review may Challenge:
be performed by others in the organization with suitable
audit or alternate professional backgrounds in subject ar- Degree of Challenge MEDIUM
eas of the audit conducted. However, such reviews are
recommended to be structured and performed so as to not A small internal audit activity may face challenges in es-
impair the independence and objectivity of the function. tablishing criteria for issuing communications as required
by Standard 2410. Activities operating with few resources
Additionally, it is recommended that expectations for au- may find it difficult to issue formal audit reports for each
dit evidence — including types of evidence and related engagement performed. These activities also may have
analysis — to support conclusions be set at the onset of limited written guidance for their staff regarding when
the engagement. These expectations should be set by the such reports must be issued. Challenges also may exist in
CAE for complex engagements or by experienced staff context of standards 2420 and 2440, where small inter-
within the function for less complex engagements. The nal audit activities may lack the experienced or sufficient
quality of information gathered or analysis prepared to resources to produce communications that are accurate,
support audit conclusions should be evaluated with the objective, concise, constructive, complete, and timely.
guidance provided for Standard 2340. Although engagement communications must conform
to IPPF Standards of Quality, the ability to provide such
Use of experienced staff within the audit function to re- communications timely may pose greater challenges for
view the work of less experienced staff may be acceptable the small audit activity. Absence of formalized policies to
for lower risk and less complex engagements. Within such guide the review and drafting of such communications
engagements, key elements may still warrant CAE review may further limit the function’s ability to produce the ap-
and consideration; however, such elements are expected plicable communications timely to the appropriate parties.
to be a smaller subset of executed engagements. Key ele- Additional challenges include maintaining consistency in
ments of the engagement at minimum should include a evaluating results, assigning levels of importance and pri-
listing of findings and recommendations. ority, and ensuring timely response on draft reports issued.
In the context of the above guidance, it is recommended Guidance:

that the CAE or those assigned to engagement supervi- To better use the time and limited resources at internal
sion sign off on engagement working papers to document auditing’s disposal, establishment of engagement specific
evidence of their review. Additionally, it is recommended reporting should be defined as part of engagement plan-
that these individuals indicate when such reviews were ning. The Standards should be specifically considered at
performed. Such reviews must be performed timely. The the engagement planning stage so that the nature of com-
timeframe will be defined by the nature and purpose of munication is understood during the execution phase.
audits performed and should be established by the CAE
consistent with Standard 2200. The CAE should refer to the Practice Advisories for the
Standards 2420 and 2440 and specifically consider the
Conforming with Standard 2400 – following actions to provide quality communications:
Communicating Results
Standard: Develop guidance for staff on how to draft meaningful
Internal auditors must communicate the results of and concise communication.
engagements.
Establish department practices to ensure that experi- Guidance:

enced auditors have a common understanding of the re- CAEs for small internal audit activities should consider
quirements of the communication as driven by the CAE a strategy to prioritize the findings on which to follow-up
and organization-specific requirements. These practices (in cases where audit findings are risk ranked or rated, the
should include expected content and format of commu- same prioritization may be followed). As part of the pro-
nications, guidance regarding to whom the communica- cess the CAE should require management representation
tions should be addressed, and whether others outside that the matter has been addressed appropriately, before
the function should be consulted before finalization and any further audit work. General guidance on prioritization
release. appears below:
Establish key criteria that must be met by each communi-

Prioritized Audit
cation before being authorized for release by the CAE. It Follow-up
Recommendations Comments
is advised that the CAE establish such criteria in conjunc- Strategy
(Ratings)
tion with the more experienced auditors. This will ensure
that key criteria are agreed upon before the drafting of Internal auditing
such communications and should in turn reduce the time should review and
Validation agree to the reme-
needed for the CAE or designate to review and release
High Risk/Priority by Internal diation plan and
such communications. It is imperative that such criteria Auditing validate its results
not contradict the overall intent of Standard 2400 and re-
at completion.
lated underlying standards.
Internal auditing
Conforming with Standard 2500 – should rely on vali-
dation by business
Monitoring Progress
Medium Self-assess- process owner.
Standard: Risk/Priority ment Remediation plan
The CAE must establish and maintain a system to monitor should be vali-
the disposition of results communicated to management. dated during the
subsequent audit.
Challenge: Internal auditing

should rely on vali-
Degree of Challenge MEDIUM dation by business
Self-assess- process owner
Low Risk/Priority
The challenges faced in conforming to this standard are ment and may consider
validation in the
not unique to small audit activities but are certainly com-
subsequent audit.
pounded in an audit activity with limited resources. Time-
ly follow-up with management regarding agreed upon re-
mediation plans for internal audit findings may be difficult In addition, internal auditing can request firm commit-
to work in if the department work plan does not schedule ments from management when discussing recommenda-
time to accomplish this objective. tions at the end of the audit period (status could be in-
cluded in board reporting). These commitments can serve
as a basis for scheduling follow-up time for high-risk or
high-priority matters. A good productivity tool is a spread-
sheet that lists open issues, owners, due date, a brief sum- The CAE should also review The IIA’s Position Paper
mary of matter, and current status. A better tool could be on The Role of Internal Audit in Enterprise-wide Risk
an intranet Web-based solution found in many small orga- Management. The paper addresses the roles that internal
nizations that the internal audit activity could use. auditing should not undertake and those that should be
taken with appropriate safeguards.
Conforming with Standard 2600 –
Management’s Acceptance of Risk
Reliance on the Work of
Standard:
When the CAE believes that senior management has ac- Small Audit Activities by
cepted a level of residual risk that may be unacceptable to
the organization, the CAE must discuss the matter with
External Auditors
senior management. If the decision regarding residual risk Small internal audit activities are often requested, or di-
is not resolved, the CAE must report the matter to the rected by their charter, to provide direct assistance to the
board for resolution. external auditors to reduce the cost of the external audit.
The ability of external auditors to rely upon the work of
Challenge: internal auditing may be limited in circumstances giving
rise to one or all of these conditions:
Degree of Challenge MEDIUM
• Limited independence of the activity based on cur-
As stated in the Standards, CAEs may have challenges rent reporting lines.
with maintaining independence and objectivity as audi- • Lack of experience or qualifications within the activ-
tors and/or the CAE are given operational responsibilities. ity, this includes inadequate training.
In some cases, the CAE might be part of the management
team that has defined the acceptable level of risk. Also, if • Limited scope of work of the activity that may not
internal auditing does not report high enough in the orga- cover the full scope of the external audit.
nization, or if the CAE does not hold a high level of status Limited independence of the function.
by title or level of responsibility, his or her voice on the
acceptable level of risk may not be heard by the manage- • Although some CAEs may report to the chief execu-
ment team. tive officer or the chief financial officer, the formal-
ization of functional reporting to the board may not
Guidance: have been established. In such cases, documentation
The CAE for a small audit activity may consider including and justification of the internal audit activity’s cur-
sections in the internal audit charter to describe the reso- rent reporting structure may provide some support
lution process in cases where management disagrees with for the external auditor to consider partial or full
internal auditing’s recommendation or acceptable level of reliance on the work of internal auditing.
risk. The resolution process should include escalation of • Alternatively, in such cases, a small internal audit activ-
disagreement with management to the board when neces- ity could work with the external auditor to highlight
sary. In cases where the internal audit charter does not in- how the current reporting structure could be modified
clude any resolution process, the CAE should inform the to allow the external auditor to leverage the work of the
board of such matters. In either case, the communication function, which in turn may provide greater savings in
should be documented. external audit completion time and related fees.
• For select audits, small internal audit activities may Limited scope of work of the activity that may
want to consider concurrent audit execution with the not cover the full scope of the external audit.
external auditors. In such cases, although audit evi-
• External audit requirements for sampling and nature
dence may be jointly evaluated, internal auditing may
and extent of procedures may not correspond to that of
lead documentation of audit work. This approach still
the internal audit activity.
may allow partial usage of the audit activity’s work by
the external auditor. • The Standards encourage collaboration with external
auditing and such collaboration may include discus-
Lack of experience or qualifications within sion of external audit sampling and scoping parame-
the function. ters. Such discussions in advance of audit plan devel-
• Requirements of staff to attain IIA or equivalent opment and execution may allow for greater reliance
certifications for internal audit staff may not be met in on the work of internal auditing.
light of funding constraints. Staffing the function with • Sharing the support and basis for the current internal
individuals that hold such designations will reduce audit plan, including risks addressed, with the exter-
future expenditures in this regard. nal auditor may result in the potential revision of its
• Leveraging opportunities to seek group training planned work.
amongst other local small internal audit activities may • For areas of the external audit plan not addressed
reduce overall expenditures and provide opportunities by the internal audit plan, consideration should be
for the staff to obtain continuing professional educa- given to using suitable noninternal audit organiza-
tion. tion resources to perform additional work under the
• Retention of evidence supporting completion of train- supervision of the CAE. Such opportunities should be
ing by the audit staff may provide the external auditor discussed with the external auditor and management
greater comfort regarding the competency levels of the and considered in the context of potential time and
activity. cost savings for the external audit.
• Formalized review of workpaper documentation by an
individual or individuals with appropriate qualifica-
tions and/or experience might compensate for resourc-
es within the audit activity that might otherwise be
deemed inexperienced or unqualified.
Authors:
Princy Jain, CIA, CCSA
Kiko Harvey
Rita Thakkar, CIA
Robert W. Cates, CIA
Reviewers and Contributors:

Maria Mendes, CIA, CCSA
Takeshi Shimizu, CIA, CCSA
James Rose, CIA
Appendix A –
Template to Facilitate Determination of Gaps in Conformance with
the Standards
Standard # Standard Title Current Status�
1000 Purpose, Authority, and Responsibility
Recognition of the Definition of Internal Auditing, the Code of Ethics, and the
1010
Standards in the Internal Audit Charter
1100 Independence and Objectivity
1110 Organizational Independence
1120 Individual Objectivity
1130 Impairments to Independence or Objectivity
1200 Proficiency and Due Professional Care
1210 Proficiency
1220 Due Professional Care
1230 Continuing Professional Development
1300 Quality Assurance / Improvement Program
Quality Program Assessments(This standard includes 1311–Internal Assessments

1310
and 1312–External Assessments)
1320 Reporting on the Quality Program
1321 Use of “Conducted in Accordance with the Standards”
1322 Disclosure of Nonconformance
† The internal audit activity should self-assess current status on a scale of 1-5 (where 1 is the lowest conformance and 5 being highest conformance). In cases where conformance status is
towards the lower end, the CAE should establish a plan to enhance it.
2000 Managing the Internal Audit Activity
2010 Planning
2020 Communication and Approval
2030 Resource Management
2040 Policies and Procedures
2050 Coordination
2060 Reporting to the Board and Senior Management
2070 External Service Provider and Organizational Responsibility for Internal Auditing
2100 Nature of work
2110 Governance
2120 Risk Management
2130 Control
2200 Engagement Planning
2201 Planning Considerations
2210 Engagement Objectives
2220 Engagement Scope
2230 Engagement Resource Allocation
2240 Engagement Work Program
2300 Performing the Engagement
2310 Identifying Information
2320 Analysis and Evaluation
2330 Recording Information
2340 Engagement Supervision
2400 Communicating Results
2410 Criteria for Communicating
2420 Quality of Communications
2421 Errors and Omissions
Use of “Conducted in Conformance with the International Standards for the Profes-
2430
sional Practice of Internal Auditing”
2431 Engagement Disclosures of Nonconformance
2440 Disseminating Results
2450 Overall Opinions
2500 Monitoring Progress
2600 Management’s Acceptance of Risks
detailed processes and procedures, such as tools The copyright of this position paper is held by The
and techniques, programs, and step-by-step ap- IIA. For permission to reproduce, please contact
proaches, as well as examples of deliverables. The IIA at guidance@theiia.org.
Practice Guides are part of The IIA’s Internation-
al Professional Practices Framework. As part of
the Strongly Recommended category of guidance,
recommended, and the guidance is endorsed by
cesses. For other authoritative guidance materials
provided by The IIA, please visit our website at
Global headquarters T: +1-407-937-1111

247 Maitland Ave. F: +1-407-937-1101
Audit Reports
Communicating Assurance
Engagement Results
Practice Guide / Audit Reports
Table of Contents
Executive Summary ...................................................................................................................3
Introduction ................................................................................................................................5
Business Significance, Challenges, and Opportunities ...................................................5
Audit Report General Guidelines ...............................................................................................6
Understanding the Stakeholders/Users of Internal Audit Reports ...................................6
Report Content and Structure .........................................................................................7
Report Issuance ..............................................................................................................8
Writing Style Considerations ......................................................................................... 10
The Executive Summary .......................................................................................................... 11
Introduction and Scope of the Internal Audit Engagement ............................................ 12
Internal Audit Engagement Conclusions ....................................................................... 12
Summary of Significant Observations ............................................................................ 12
Repeat Observations from Previous Audits ................................................................... 12
Audit Report Elements ............................................................................................................. 13
Objectives and Scope .................................................................................................... 14
Observations .................................................................................................................. 14
Recommendations ......................................................................................................... 19
Management Action Plans ............................................................................................. 20
Report Review Process ............................................................................................................ 22
Communicating Results ........................................................................................................... 23
Presenting Engagement Results – Types of Communication ........................................ 23
Follow-up Actions Planned by Internal Audit ........................................................................... 24
Appendix A: Key IIA Standards ................................................................................................27
Appendix B: Glossary ............................................................................................................... 31
Appendix C: Audit Report Template ........................................................................................ 33
Appendix D: Audit Report Examples ....................................................................................... 35
Authors/Contributors ................................................................................................................ 44
2
Executive Summary
As the demand for internal audit value shifts from a retrospective view to a forward-looking
perspective, internal auditors are expected to adapt with innovative methods to assess and
communicate internal audit results. Communicating engagement results effectively provides
management the opportunity to take corrective actions in a timely manner.
Timely and proficient communication of internal audit results can increase the effectiveness of
governance and risk management, provide opportunities for process improvements, and
influence positive change. This practice guide focuses specifically on communicating internal
audit results through written reports, and provides guidance on how to:
• Identify the key components of an effective internal audit report or presentation.
• Create and organize an effective written internal audit report.
• Present internal audit engagement results to relevant stakeholders.
• Develop a follow-up process to monitor and report corrective actions taken by

management.
Engagement results may be communicated through a formal presentation or exit interview,

rather than a traditional written internal audit report. The method to communicate results may
vary based on the organizational structure, type of internal audit, and related
recommendations. However, the information communicated should still contain the key
concepts included in this guidance. Guidelines for communicating engagement results should
be established with the board, and senior management.
Through this guidance, the internal auditor will come to consider that:
• Stakeholders have diverse needs. Written reports may be structured for multiple types
of recipients, or more than one type of report may be needed based on stakeholders’
needs
• Effective internal audit communication needs to be accurate, objective, clear, concise,

constructive, complete and timely to be relevant.
3
• The internal audit report must include the objectives, scope, and results of the
engagement.
• Management’s action plans must be included, as they are often the most referenced
segment of the report over time. Ensuring that the tone and expected completion of the
response is in line with the significance and urgency of the issue is important.
• It is important to conduct a thorough review of the content to validate factual accuracy,

completeness of reporting, and ensure the engagement results and conclusions are
supported by sufficient, reliable, relevant, and useful information.
• A concise executive summary may highlight good practices observed during the
engagement and any steps taken by management to improve governance, risk
management, and internal controls (refer to Standard 2410.A2). It is also important to
include straightforward, topical issue descriptions that could be adapted for a senior
management or board presentation as needed.
• The distribution of the report must be validated and approved by the chief audit
executive to ensure it is directed to the intended recipients and disseminated to the
appropriate parties who can ensure that the results are given due consideration.
4
Introduction
Internal auditors must communicate the results of engagements (Standard 2400:

Communicating Results). However, the format, content, and timing of such communications
may vary by organization and engagement type. Agreeing to a communication plan with
stakeholders during engagement planning will help establish how, when, and with whom
interim and final results will be communicated. Written internal audit reports provide a formal
means of notifying senior management, the board, and other stakeholders of audit
observations, related risks, and areas for improvement. Many internal audit activities
communicate engagement results via internal audit reports, which include the engagement's
objectives, scope, applicable conclusions, recommendations, and management’s action plans.
This guidance specifically focuses on communicating assurance engagement results in a
written internal audit report format.
Business Significance, Challenges, and Opportunities

A well-written audit report provides senior management, the board, and other stakeholders a
better understanding of the audited activity’s governance, risk management, and control
processes. It also provides an opportunity to point out the means by which potential impact of
significant risk is kept to an acceptable level and/or acknowledge the engagement client’s
satisfactory performance. In addition, a well-written audit report presents an opportunity to
market the internal audit activity by showcasing internal auditors’ in-depth knowledge of the
organization’s business processes and internal audit’s willingness to partner with management
and provide recommendations for improvement.
Outdated, inaccurate, and poor quality audit reports can discredit the importance of the work
performed by the internal audit activity. When drafting the audit report, internal auditors should
be careful to avoid these potential pitfalls:
• Significant errors and omissions.
• Language that is too technical or filled with too much jargon.
• Observations and recommendations that are not well-formulated.
• Failing to acknowledge satisfactory performance.
5
• Omitting or not explaining the scope limitations.
• Issuing late reports or issuing them to inappropriate parties.
These pitfalls can be avoided through careful preparation and review of the audit report before
it is issued. This practice guide takes into consideration the business significance, challenges,
and opportunities of drafting the audit report.
Audit Report General Guidelines
Understanding the Stakeholders / Users of Internal Audit Reports

Internal audit reports should consider the diversity of the report recipients and their individual
information needs. Report recipients may vary based on the organizational structure, type of
audit, and related recommendations. The CAE should establish guidelines for report
distribution with the board and senior management (such as the chief executive officer (CEO),
chief financial officer (CFO), legal counsel, etc.). Internal audit reports are typically distributed
to the following stakeholders:
• Process owners and management.

• Senior management.
• The board.
• Other stakeholders as deemed necessary (such as external auditors).
According to Standard 2440 – Disseminating Results, “The chief audit executive must
communicate results to the appropriate parties.” A standard distribution list often exists and
should be adjusted based on the particular internal audit engagement. Recipients may include
managers who have direct responsibility for the audited activity and individuals with authority to
take action on internal audit’s recommendations. The CAE (or designee) may coordinate with
management to determine an appropriate distribution list so that due consideration is given to
the results. The final engagement communication and decision to whom and how to
disseminate is ultimately the CAE’s responsibility.
Internal audit reports are confidential documents and distribution should be on a need-to-know
basis. Condensed versions of reports may be created if certain information is to be shared with
6
other entities/units in the organization. Different formats may be created, depending on the
recipient (e.g., the board may receive an executive summary rather than the entire detailed
report).
Also, depending on the industry — such as within the public sector — reports may be publicly
available. In regard to distributing internal audit reports outside of the organization, Standard
2440.A2 states, “If not otherwise mandated by legal, statutory, or regulatory requirements,
prior to releasing results to parties outside the organization the chief audit executive must:
assess the potential risk to the organization; consult with senior management and/or legal
counsel as appropriate; and control dissemination by restricting the use of the results.”
Report Content and Structure

The style and format of written internal audit reports varies across organizations. The internal
audit report structure could be consistent with the organization’s communication templates and
practices, reflect the organization’s culture, and/or incorporate suggestions from senior
management and the board.
According to Standard 2420 – Quality of Communications, “Communications must be

accurate, objective, clear, concise, constructive, complete, and timely.” The content and level
of detail should be determined by the needs of the audience. As such, some organizations
may deem it appropriate to utilize different formats/versions that are customized for the
audience. Consider these questions about the audience(s) when customizing reports:
• Who are the most important readers of the report?

• How much do they know about the audited activity?
• How do they plan to use the report?
• How do the identified issues impact the reader?
The structure of a report often includes the following components:
1) Audit report title.

2) Objective (purpose of engagement).
3) Scope (audited activities, nature and extent of work, scope limitations).
4) Background (brief synopsis of the activity being audited or an explanation of the
process).
7
5) Recognition (positive aspects of area or activity audited or appreciation of

cooperation).
6) Engagement rating (ranking, outcome [i.e., satisfactory, marginal, unsatisfactory,
pass, fail]).
7) Conclusions (summary opinion/assessment of the engagement, often highlighting
critical observations).
8) Observations (also referred to as findings) — each observation should be listed in
order of significance (grouped by activity if applicable) and often include:
a. A title and reference.
b. Criticality rating (measure of risk significance [i.e., high, medium, low, critical,
significant]).
c. Statement of facts (condition, criteria, cause, effect/risk), which can be
substantiated with relevant examples, data, analytics, tables, or charts.
d. Audit recommendations (corrective action to mitigate the risk identified in the
observation).
e. Management’s action plans (corrective action, activity owner, and target date
for completion).
9) Distribution list.
The use of Standard 2430 – Conducted in Conformance with the International

Standards for the Professional Practice of Internal Auditing may be indicated only if
supported by the results of the quality assurance and improvement program.
An audit report template is provided in Appendix C and simplified audit report examples are
provided in Appendix D.
Report Issuance
Engagement results should be communicated according to the agreed communication plan.
Timely communication allows management to take appropriate corrective action. The
appropriate timing of issuing written reports may depend on several factors:
8
• Audit engagement type.

o For regular audit engagements, such as those reflected in the annual internal
audit plan, the CAE establishes the issuance timetable in accordance with
defined policies and procedures. To ensure timely communication of
engagement results and execution of internal audit plans, a good practice is to
issue the draft report within a few days of the exit meetings and the final written
report within two weeks of the draft.
o For special engagements, such as those requested by management outside of
the internal audit plan to address an urgent issue, the issuance of the report
ordinarily takes priority over regular engagements. This is essential to effectively
and efficiently address higher risk situations.
o For complex, lengthy internal audit engagements with multiple audited activities
(such as branches or units with many departments), interim reports or status
updates could be issued upon completion of each audited activity for immediate
consideration of observations and applicable corrective action.
• Interim communication considerations.

o For high-risk observations, it is prudent and typical for the CAE to verbally
discuss items well in advance of the formal written report. In addition to the
verbal discussion, the CAE may also authorize the issuance of an interim report
to management so that action plans can be implemented immediately, prior to
the issuance of the final written report.
o For medium-risk observations, an interim report could be drafted for
management for more timely actions. The final written report could also be
issued following the procedure for regular internal audit engagements on
medium-risk observations.
o For low-risk observations, other alternatives could be considered, such as
verbally reporting the observations to responsible management or issuing a
separate memo to management.
9
• Report recipient.
o As stated previously, ongoing communication (verbal and/or written) should
occur throughout the internal audit engagement with the activity process owners
and management. In addition to interim reports, internal auditors may consider
having management review a draft of observations and recommendations. This
practice helps build a partnership with the organization and reduces engagement
observation errors, misunderstandings, and disagreements.
o Frequency and type of communication to the board varies by organization. Final
written internal audit reports or executive summaries may be provided to the
board at the conclusion of all internal audit engagements. Alternatively, a status
update highlighting recent internal audit results can be scheduled at regular
intervals (e.g., quarterly) or issued on an ad hoc basis. These reports usually
contain the most significant internal audit observations (the executive summary
of the audit report is often sufficient), audit conclusion, and progress of
management’s follow-up.
o Reports to external auditors, other stakeholders, and/or external parties, such as
regulators, can be issued as needed. For example, external auditors and/or
external parties might require a summary of internal audit engagements
completed within a specified time period. Also, government and public sector
internal audit reports may be public record based on the organization’s
geographic location and/or industry and may require a different approach.
The written internal audit report should be issued in a timely manner after the conclusion of the
internal audit engagement and should not contain any surprises.
Writing Style Considerations

When drafting the internal audit report, readers’ needs should be considered. The results
should be presented in an organized way, such as placing observations in chronological order,
by significance, or grouping by topic, cause, or effect/risk. To achieve this, wording that is
simple and relatively free of technical jargon should be used, and sentences should be short
and to the point. Charts, graphs, diagrams, tables, illustrations, and other graphics help to
highlight key messages. The tone of the report should be constructive, not adversarial.
10
The writing style should follow the organization’s protocols for written communications.
Additional guidance can be found in Internal Auditing: Assurance and Advisory Services1,
Sawyer’s Guide for Internal Auditors2, and Clarity, Impact, Speed: Delivering Audit Reports
That Matter.3
The Executive Summary
The stakeholders’ desire to continue reading a report often depends on the impression of the
executive summary, which is designed to provide a clear and concise overview of the
engagement results and efficiently deliver critical information with a persuasive, well-
substantiated key message to stakeholders.
The executive summary generally highlights good practices observed during the audit and any
significant steps taken by management in improving the governance, risk management, and
internal controls of the organization. The summary should not contain technical jargon and
internal audit methodologies. Such information could be referenced in the detailed report if
needed by the reader to obtain a more in-depth understanding of the information presented.
The key components of an executive summary generally include:
• Introduction, objectives, scope, and engagement results.

• Conclusions for the audited activity/processes.
• A summary of significant observations or key messages.
• Concerns encountered with management, relating to establishing corrective actions,
deadlines, and/or situations where the CAE concludes that management has accepted
a level of risk that may be unacceptable to the organization.
1
Kurt F. Reding, et al. Third Edition, p. 14-26
2
The Institute of Internal Auditors Research Foundation (IIARF), vol. 2, pp. 238-277, 2012
3
Sally F. Cutler, The IIARF Handbook Series, 2011
11
Introduction and Scope of the Internal Audit Engagement

The introduction provides basic information about the entity, activity, or process audited. The
scope may indicate the period covered, the type of internal audit being conducted (i.e.,
assurance engagement, advisory/consulting engagement, or follow-up audit), specific risks,
relevant systems, and/or the departments or functions assessed.
Internal Audit Engagement Conclusions

According to Standard 2410.A1, “Final communication of engagement results must include
applicable conclusions, as well as applicable recommendations and/or action plans. Where
appropriate, the internal auditors’ opinion should be provided. An opinion must take into
account the expectations of senior management, the board, and other stakeholders and must
be supported by sufficient, reliable, relevant, and useful information.” Internal auditors’
conclusion of the condition of the audited activity/process helps the reader understand the
significance of the observations. The financial impact caused by the internal control
weaknesses and irregularities also can be used to convey the significance of the observations.
Guidance on internal audit opinions is provided in The IIA Practice Guide “Formulating and
Expressing Internal Audit Opinions.”
Summary of Significant Observations

The executive summary generally contains significant observations or key messages from the
internal audit report and may also include concerns encountered with management relating to
establishing corrective actions. It is often beneficial to include a dashboard that lists the
findings in the form of a table, depicting the number of observations/recommendations per
audited activity, according to their importance.
The key observations can be summarized in a positive manner (focus toward enhancement) or
a negative manner (focus toward weaknesses). Internal audit is encouraged to acknowledge
satisfactory performance when applicable and to show the trend (positive or negative)
compared to prior audits of the same activity.
Repeat Observations from Previous Audits

The executive summary may include repeat observations from a previous audit. Additionally,
information on action plans from previous audits that have not been completed, or have
12
implementation dates that have expired, may also be included. In such cases, it is beneficial to
include historical information on the repeat observations and management’s action plans.
Audit Report Elements

Figure 1 illustrates the process flow of audit report elements.
Figure 1: Information flow of audit report elements.
13
Objectives and Scope

The objectives and scope in the internal audit report should be consistent with the approved
engagement plan. This section typically describes the audit purpose, risks, scope, and scope
limitation, if any. An example is illustrated in Exhibit A, below.
Standard 2410 – Criteria for Communicating states “Communications must include the
engagement's objectives, scope and results.”
Exhibit A: Example of Objectives and Scope
The objective of our audit was to ensure adequate procedures and processes are in
place to properly account for Sportsplex revenue and that all required reports were
submitted by the contractor to the Parks and Recreation management.
This audit included the Sportsplex owned by the City and managed via contractor
through management agreements with the City.
It did not include transactions and activities in other departments or centers under the
Parks and Recreation management (scope limitation).
The audit covered revenue from Calendar Year 2015. Our fieldwork concluded on
February 15, 2016.
Observations
Observations (also referred to as findings), recommendations, and management’s action plans
(responses) make up the core of the written internal audit report. These components enhance
communication between internal auditors and stakeholders, and are linked together as
illustrated in Figure 2, on page 15. The starting point used to develop the observation is
“condition.” The goal is to develop a condition-based and a root cause-based
recommendation/management action plan.
14
Figure 2: Observation, recommendation, and management action plan.
Root cause-based action plans are ideal, as they mitigate the underlying cause of the condition
that triggered the observation. Internal auditors must understand the meaning of condition,
cause, and root cause, as well as related effects and recommendations to develop root cause-
based recommendations. This concept is illustrated in Figure 3, on page 16.
15
Figure 3: Examples of condition, effect, cause, root cause, and recommendation.
Observations include the condition, criteria, cause, effect, and rating. Observations should be
written in such a way that the appropriate party understands and accepts internal audit’s
assessment of the risk, as well as its impact on organizational objectives. Observations should
be supported with evidence, brief and organized, and explain in simple language how the
condition compared to a set of criteria. Recommendations, explained in the next section,
should provide a practical, feasible solution to mitigate the risks identified in the observations,
thereby eliciting a positive response from the engagement client.
16
Observations include the following elements:
• Condition: Factual evidence identified during the course of the engagement (what does
exist). Condition is the key issue the internal auditor considers, and it can be
measurable or observable.
• Criteria: Standards, measures, or expectations used in making an evaluation and/or
verification of an observation (what should exist). Criteria are used to compare and
evaluate the existing condition(s) and can be written policies, procedures, laws,
regulations, and/or guidelines. Criteria can also be established organizational practices,
expectations based on the design of the control, and even common sense procedures
that may not be formally documented and may require internal auditors’ professional
judgment for their evaluation.
Internal auditors must define the suitable criteria, or the benchmark against which the
audited activity will be assessed (refer to Standard 2210.A3 for additional guidance).
Choosing the appropriate criteria enables the internal auditor to reach suitable
conclusions and consequently provide meaningful assurance to senior management
and the board. Examples of appropriate criteria may include:
• Internal (e.g., policies and procedures).

• External (e.g., laws and regulatory requirements).
• Leading practices (e.g., industry best practices, professional guidance, key
performance measures).
To define criteria suitable for the internal audit, it is important to take into consideration
the engagement objectives, which are established by internal audit, based on a risk
assessment of the activity under review (refer to Standard 2210 – Engagement
Objectives).
17
• Cause: Underlying reason for the difference between the criteria and condition (why the
difference exists). It answers the questions “what allows the condition to exist?” and
“why did the condition occur?” It is essential that internal audit work with management to
identify the root cause of the gap.
Merely fixing the issue does not address what caused the issue to exist and does not
improve the overall governance, risk, and control environment. Finding and
appropriately addressing the root cause will reduce (and optimally eliminate) the future
recurrence of the condition.
• Effect: Risk or exposure encountered because the condition is not consistent with the
criteria (the consequence of the difference). In determining the degree of risk or
exposure, internal auditors consider the effect that the engagement observations may
have on the organization’s operations and/or financial reporting process. Effects can be
existing or potential.
o Existing (real) effects are factual and seen as a result of the condition.
o Potential effects are exposures where no real effect has yet occurred or been
found.
In addition to the internal auditors’ observations and recommendations, the identified

risks should be documented in the audit report, along with the impact, to provide clarity
of the issue to the engagement client and stakeholders.
• Rating: Component of the conclusion. It can be an effective communication tool for

delivering the significance of each observation and could assist management with
prioritizing their action plans, and internal auditors with prioritizing follow-up.
Consideration of the individual observation ratings within the report generally impacts
the overall engagement conclusion (as mentioned above in the section entitled “Internal
Audit Engagement Conclusions”). When ratings are used, rating criteria should be
clearly defined and consistently applied across all internal audit reports for assurance
engagements.
For an example of communicating observations, see Exhibit B, on page 19.
18
Exhibit B: Example of Observations
# 1: Revenue Under-reported
Rating: Low
Observation
The 2015 annual report of revenue generated at the Sportsplex did not include
concession revenue and revenue from a partnership, RUSH Soccer, totaling
$242,890. Per the management agreements with the contractor, the contractor is
required to submit an itemized report setting forth the amount of all gross revenue
received by the contractor (Manager) for the previous calendar year and to be
certified by the chief financial officer or chief executive officer of the contractor as to
the accuracy thereof. The itemized report is to include concessions and any other
revenue received by the contractor. As revenues were far from the revenue sharing
threshold levels ($850,000 for the Sportsplex), the revenue reporting process was
rather informal and sense of accuracy was not high. Therefore, the annual report of
revenue was incomplete and under-reported for the calendar year.
The management agreement requires concessions to be reported using the largest of
25% of actual concession revenue or the projected concession revenue.
Recommendations
Recommendations are internal auditors’ suggestions for correcting conditions, and identifying
the cause to prevent recurrence (or the creation of new conditions). Recommendations provide
an efficient and effective way to address the gaps identified between condition and criteria.
Recommendations are divided into two categories — a combination of condition and root-
cause based recommendations may be appropriate, depending upon the particular
observation.
• Condition-based recommendations: Provide an interim solution for correcting the

current condition (e.g., removing inappropriate access).
• Cause-based recommendations: Actions needed to prevent the condition/observation
from occurring again. Root cause-based recommendations are typically longer-term
19
solutions and may involve more time (e.g., creating and implementing an access review
policy).
While many internal audit activities include recommendations in the draft report,
recommendations may be changed to agreed action if aligned with management’s action
plans. For an example of communicating recommendations, see Exhibit C, below.
Exhibit C: Example of Recommendations
Recommendation
Parks and Recreation management should:
1.1 Develop a template for the contractor to use for submitting the annual itemized
revenue report that would include all revenue, especially concessions and
sponsorships.
1.2 Review the annual itemized revenue report submitted by the contractor to
ensure completeness and reasonableness of amounts reported. Any
discrepancies should be immediately resolved with the contractor.
Management Action Plans

In accordance with Standard 2410.A1, recommendations and/or action plans must be included
in the final communication of engagement results. Actions that were initiated by management
during the internal audit engagement, but before the issuance of the written report, can be
acknowledged in the final engagement communication.
Action plans arising from internal auditors’ recommendations have the potential to transform
business processes and help the organization meet its goals. Action plans are effective when
designed and executed in a way that addresses the root cause. Validation with the
engagement client of the action plan(s) is important to assure issues are effectively and
efficiently addressed, while maintaining alignment with the organization’s objectives. Although
internal auditors may be experts in governance, risk management, and internal controls, they
20
cannot assume managerial responsibility for the action plans, or claim to understand the
business better than the engagement client.
A good practice is to create a preliminary draft report (also referred to as an audit

memorandum, observation worksheet, or audit comment referral) as a tool for communicating
with senior and line management to enhance the engagement process. It could include a draft
of the condition, criteria, cause, effect, and recommendations. Such a report can assist in
starting a constructive discussion for finding reasonable solutions (agreed actions), even at
early stages of the internal audit engagement. If the conditions are critical, management may
be able to address the conditions before other areas of the organization are impacted.
Working collaboratively with the internal auditors, management provides action plans based on
internal audit’s observations and recommendations, including:
• Agreed action: The actions that will be taken by management to correct the current
condition and causes, thereby preventing future reoccurrence. Generally,
management’s action plans correlate with internal audit’s recommendations. If
management disagrees with the observation or facts identified by internal audit, further
details can be provided to reach agreement or a sound explanation should be provided
by management for discussion and resolution.
• Responsible personnel: Identifies the person or group responsible for the action. This
may be the activity/process owner, manager, or senior management.
• Due date for action plan: Target date for completing the action plan. The CAE should
ensure the proposed timeline is appropriate based on the level of risk.
If the CAE encounters concerns with management when establishing corrective actions and
deadlines and is unable to resolve the concerns after escalation to senior management, it is
appropriate to discuss the concerns and resolution with the board. These concerns might
pertain to the sufficiency of management’s action plan, the deadline for action, or the
classification or description of the observation. An example of communicating management’s
action plans is shown in Exhibit D, on page 22.
21
Exhibit D: Example of Management’s Action Plans
Action Plan
1.1 A template has been developed and communicated to the contractor requiring
its use to submit revenue reports including all revenue.
1.2 The Director of Parks and Recreation will review annually all revenue reports
submitted by the contractor.
Responsible Personnel
Director of Parks and Recreation
Due Date
April 15, 2016
Report Review Process
As noted in Standard 2440 – Disseminating Results, the CAE is responsible for reviewing and
approving the final engagement communication before issuance. This is an important step to
assure work was performed properly and recommendations align with the organization’s
business objectives.
The CAE reviews and approves the final engagement communication before issuance and
decides to whom and how it will be disseminated so results are given due consideration.
Although the review process will vary depending on the size of the internal audit activity, the
CAE (or designee) should establish a review process for validating report observations.
Depending on the size of the internal audit staff, the review process may include the following
steps:
22
• Review engagement records to ensure:

o The work performed is consistent with the audit scope, engagement objectives,
and Standards (when claiming conformance).
o Observations and recommendations are clearly stated and supported by
sufficient, reliable, relevant, and useful evidence.
• Draft the internal audit report with cooperation from the internal audit team.
• Validate the draft report and forward to the CAE (or designee) for review.
• The CAE (or designee) reviews the draft report and returns the report to the internal
audit team if there are issues requiring clarification.
• The CAE (or designee) authorizes communication of observations to management for
feedback before issuance of the final written internal audit report.
• Upon review and agreement with management’s action plans and target completion
dates, the CAE (or designee) authorizes issuance of the final written internal audit
report.
• The CAE retains overall responsibility for the final engagement communication, even
when delegating review responsibilities.
An integral and important part of the internal audit engagement is the presentation of the work
performed and the derived results. Consequently, careful preparation is required as the final
audit engagement communication exhibits the work of internal auditors to senior management,
the board, and other stakeholders, and can also be used as a reference for future assurance
and/or consulting engagements. As noted in Standard 2440.A1, “The chief audit executive is
responsible for communicating the final results to parties who can ensure the results are given
due consideration.”
Presenting Engagement Results – Types of Communication

There are Standards requirements regarding communicating results (refer to: Standard 2410 –
Criteria for Communicating, and Standard 2420 – Quality of Communications). However, there
is no definitive model required for the presentation of internal audit engagement results and/or
23
written audit reports. Organizations use many varying formats; but, general guidelines are
applicable for most presentations and reports. Such presentations and/or reports should:
• Ensure the engagement’s objectives, scope, and results are included.

• Be clear, concise, and easy to read and/or understand.
• Contain accurate and complete information that is presented objectively, constructively,
and timely.
• Ensure conclusions and engagement results are supported by sufficient, reliable,
relevant, and useful information based on appropriate analyses and evaluations.
• Link the objective of the work performed with the organization’s strategic objectives.
• Identify and analyze the root cause of the issues to support the recommendations and
actions plans that enhance the business (when applicable).
The means by which final internal audit engagement results and reports are distributed can
also vary; however, they are generally sent through secure email transmission. Oral
presentations in particular during discussion of the observations and recommendations with
the engagement client’s management, are generally presented with the use of hard copy or
printouts.
An audit report template is provided in Appendix C and simplified audit report examples are
provided in Appendix D.
Follow-up Actions Planned by Internal Audit
According to Standard 2500 – Monitoring Progress, “The chief audit executive must establish
and maintain a system to monitor the disposition of results communicated to management.” If
agreed-upon action plans are not acted on by management, there is little value of the internal
audit engagement’s results to the organization. In accordance with Standard 2500.A1, the
chief audit executive must have a monitoring process in place to validate action plans are
24
implemented effectively or confirm that senior management has accepted the risk of not taking
action.
The follow-up on the action plan is performed by the internal audit activity. A best practice is to
create a tracking spreadsheet or system, including the audit observation, action plan,
responsible personnel, and target completion dates. As corrective actions are completed, the
audit observation is closed; an aging analysis is generated for all opened and past due
observations; and communication takes place with management as needed. The tracking and
aging analysis is also a good tool to share with senior management and the board.
Follow-up activities can be performed at specific time intervals, or on an ongoing basis. When
performed at specific time intervals, the CAE may schedule specific assignments in the annual
internal audit plan to perform a follow-up for incomplete or expired action plans from the
previous year(s). When follow-up activities are performed on an ongoing basis, the follow-up
process is usually performed monthly or quarterly and consists of three elements: collecting
information; verifying the completion of the action plan; and reporting results to the
engagement client, senior management, and periodically to the board (under certain
circumstances, reporting to regulators may be required as well).
• Collecting information: Internal auditors charged with the follow-up process must
collect information from management regarding the status of action plans (i.e., those
action plans that are completed, those that are in process, and those that are not yet
implemented — partially or in total — and those that are overdue).
• Verifying completion of action plans: For action plans reported by management as
implemented, internal auditors should verify that the observations and associated risks
originally raised are appropriately mitigated. Verification may be performed for all
completed action plans or on a selective basis, depending on the risk significance.
o In cases where management determines certain action plans are no longer
necessary, the CAE must discuss the matter with senior management. The CAE
must communicate to the board if the matter is not resolved (refer to Standard
2600 – Communicating the Acceptance of Risks).
25
There are several tools in the market that facilitate the follow-up process, allowing internal
audit to utilize workflow from risk assessment, to report delivery, to action plan follow-up. As an
example, workflow could allow the sending of automatic emails when an action plan is nearing
its target completion date. Internal auditors should not lose focus that the main objective of the
follow-up process is to validate that the agreed-upon actions have been implemented and are
working effectively.
26
Appendix A: Key IIA Standards

The International Professional Practices Framework (IPPF) outlines the following International
Standards for the Professional Practice of Internal Auditing pertaining to communicating audit
results.
IIA Standard 2210: Engagement Objectives
Objectives must be established for each engagement.
2210.A3: Adequate criteria are needed to evaluate governance, risk management, and
controls. Internal auditors must ascertain the extent to which management and/or the board
has established adequate criteria to determine whether objectives and goals have been
accomplished. If adequate, internal auditors must use such criteria in their evaluation. If
inadequate, internal auditors must identify appropriate evaluation criteria through discussion
with management and/or the board.
Interpretation
Types of criteria may include:
 Internal (e.g., policies and procedures of the organization).
 External (e.g., laws and regulations imposed by statutory bodies).
 Leading practices (e.g., industry and professional guidance).
IIA Standard 2400: Communicating Results
Internal auditors must communicate the results of engagements.
IIA Standard 2410: Criteria for Communicating
Communications must include the engagement's objectives, scope, and results.
2410.A1: Final communication of engagement results must include applicable conclusions, as

well as applicable recommendations and/or action plans. Where appropriate, the internal
auditors’ opinion should be provided. An opinion must take into account the expectations of
senior management, the board, and other stakeholders and must be supported by sufficient,
reliable, relevant, and useful information.
27
Interpretation
Opinions at the engagement level may be ratings, conclusions, or other descriptions of the
results. Such an engagement may be in relation to controls around a specific process, risk, or
business unit. The formulation of such opinions requires collaboration of the engagement
results and their significance.
2410.A2: Internal auditors are encouraged to acknowledge satisfactory performance in

engagement communications.
IIA Standard 2420: Quality of Communications
Communications must be accurate, objective, clear, concise, constructive, complete, and

timely.
Interpretation
Accurate communications are free from errors and distortions and are faithful to the underlying
facts. Objective communications are fair, impartial, and unbiased and are the result of a fair-
minded and balanced assessment of all relevant facts and circumstances. Clear
communications are easily understood and logical, avoiding unnecessary technical language
and providing all significant and relevant information. Concise communications are to the point
and avoid unnecessary elaboration, superfluous detail, redundancy, and wordiness.
Constructive communications are helpful to the engagement client and the organization and
lead to improvements where needed. Complete communications lack nothing that is essential
to the target audience and include all significant and relevant information and observations to
support recommendations and conclusions. Timely communications are opportune and
expedient, depending on the significance of the issue, allowing management to take
appropriate corrective action.
IIA Standard 2430: Use of “Conducted in Conformance with the International Standards
for the Professional Practice of Internal Auditing”
Indicating that engagements are “conducted in conformance with the International Standards
for the Professional Practice of Internal Auditing” is appropriate only if supported by the results
of the quality assurance and improvement program.
28
IIA Standard 2440: Disseminating Results
The chief audit executive must communicate results to the appropriate parties.
Interpretation
The chief audit executive is responsible for reviewing and approving the final engagement
communication before issuance and for deciding to whom and how it will be disseminated.
When the chief audit executive delegates these duties, he or she retains overall responsibility.
2440.A1: The chief audit executive is responsible for communicating the final results to parties
who can ensure that the results are given due consideration.
2440.A2: If not otherwise mandated by legal, statutory, or regulatory requirements, prior to

releasing results to parties outside the organization, the chief audit executive must:
• Assess the potential risk to the organization.
• Consult with senior management and/or legal counsel as appropriate.
• Control dissemination by restricting the use of the results.
IIA Standard 2500: Monitoring Progress
The chief audit executive must establish and maintain a system to monitor the disposition of
results communicated to management.
2500.A1: The chief audit executive must establish a follow-up process to monitor and ensure
that management actions have been effectively implemented or that senior management has
accepted the risk of not taking action.
IIA Standard 2600: Communicating the Acceptance of Risks
When the chief audit executive concludes that management has accepted a level of risk that
may be unacceptable to the organization, the chief audit executive must discuss the matter
with senior management. If the chief audit executive determines that the matter has not been
resolved, the chief audit executive must communicate the matter to the board.
29
Interpretation
The identification of risk accepted by management may be observed through an assurance or

consulting engagement, monitoring progress on actions taken by management as a result of
prior engagements, or other means. It is not the responsibility of the chief audit executive to
resolve the risk.
30
Appendix B: Glossary4
Assurance services
An objective examination of evidence for the purpose of providing an independent assessment

on governance, risk management, and control processes for the organization. Examples may
include financial, performance, compliance, system security, and due diligence engagements.
Board
The highest level of governing body (e.g. a board of directors, a supervisory board, or a board
of governors or trustees) charged with the responsibility to direct and/or oversee the
organization’s activities and hold senior management accountable. Although governance
arrangements vary among jurisdictions and sectors, typically the board includes members who
are not part of management. If a board does not exist, the word “board” in the Standards refers
to a group or person charged with governance of the organization. Furthermore, “board” in the
Standards may refer to a committee or another body to which the governing body has
delegated certain functions (e.g., an audit committee).
Chief Audit Executive (CAE)
Chief audit executive describes the role of a person in a senior position responsible for
effectively managing the internal audit activity in accordance with the internal audit charter and
the mandatory elements of the International Professional Practices Framework. The CAE or
others reporting to the CAE will have appropriate professional certifications and qualifications.
The specific job title and/or responsibilities of the CAE may vary across organizations.
Consulting services
Advisory and related client service activities, the nature and scope of which are agreed with
the client, are intended to add value and improve the organization’s governance, risk
management, and control processes without the internal auditor assuming management
responsibility. Examples include counsel, advice, facilitation, and training.
4
https://global.theiia.org/certification/Public Documents/Glossary.pdf
31
Engagement
A specific internal audit assignment, task, or review activity, such as internal audit, control self-
assessment review, fraud examination, or consultancy. An engagement may include multiple
tasks or activities designed to accomplish a specific set of related objectives.
Engagement objectives
Broad statements developed by internal auditors that define intended engagement

accomplishments.
Engagement opinion
The rating, conclusion, and/or other description of results of an individual internal audit
engagement, relating to those aspects within the objectives and scope of the engagement.
Internal audit activity
A department, division, team of consultants, or other practitioner(s) that provides independent,

objective assurance and consulting services designed to add value and improve an
organization’s operations. The internal audit activity helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of governance, risk management, and control processes.
Risk
The possibility of an event occurring that will have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
32
Appendix C: Audit Report Template
Executive Summary
Objectives:
Specific objectives of the internal audit engagement which relate to the engagement client’s objectives.
Scope:
Scope of the engagement in relation to the objectives as mentioned above. Scope and objectives
should be in line with the relevant standards.
Background:
Background information pertinent to the activity under review.
Conclusion:
A summary of outcomes of the engagement as well as a conclusion on the audit objectives.
Internal Audit Opinion:

An audit opinion on the risk and control environment of the process under review.
Management Response:
A detailed action plan will be developed by management to address the engagement observations.
33
Details of the Review

1. OBSERVATION NAME (Risk Impact)
Description of observation, i.e., current situation within the process being

Description
reviewed and explanation of the standards against which the observation is
measured (Condition, Criteria)
State the underlying reason for the difference between the criteria and
Cause
condition
Identify the risks or exposure due to the condition not being consistent with
Effect/Risk
the criteria
Corrective action required to address the gap between the criteria and
Recommendation /
condition
Agreed Action
Person responsible for the action
Responsible Person
Target date for completing the action
Due Date
2. OBSERVATION NAME (Risk Impact)
Description of observation, i.e., current situation within the process being

Description
reviewed and explanation of the standards against which the observation is
measured (Condition, Criteria)
State the underlying reason for the difference between the criteria and
Cause
condition
Identify the risks or exposure due to the condition not being consistent with
Effect/Risk
the criteria
Corrective action required to address the gap between the criteria and
Recommendation /
condition
Agreed Action
Person responsible for the action
Responsible Person
Target date for completing the action
Due Date
34
Appendix D: Audit Report Examples

On the following pages are two simplified audit report examples that show how audit report
components could be included in a written internal audit report:
• The first example is of an audit report for City Parks and Recreation Department.
• The second example is an audit report for ABC Unlimited.
35
Office of the City Auditor
Audit of Sportsplex Contract
Purpose
The purpose of this audit was to ensure compliance of the contractor with the Sportsplex contract terms
with a focus on payments due from the Contractor to the City. This audit was requested by department
management through the annual risk assessment process performed by the City Auditor’s Office.

The objective of our audit was to ensure adequate procedures and processes are in place to properly
account for Sportsplex revenue and that all required reports were submitted by the contractor to the
Parks and Recreation management.
This audit included the Sportsplex owned by the City and managed via contractor through management
agreements with the City.
The scope did not include transactions and activities in other departments or centers under the Parks
and Recreation management (scope limitation).
The audit covered revenue from Calendar Year 2015. Our fieldwork concluded on February 15, 2016.

Acknowledgements
We would like to thank the management and staff of the Parks and Recreation Department and the
management of Hometown Sports Management for their courteous and prompt assistance during our
audit.
Conclusion
Overall, based on the results of our audit, the contractor, Hometown Sports Management, has complied
with the terms of the Management Agreement with the City over the Sportsplex. We do note the
revenue reporting process can be enhanced to improve accountability by implementing our
recommendations related to the reporting all revenue and the submission of required management
reports to the City.
Background
In April 2009, the City executed two contracts (Management Agreements) with Hometown Sports
Management (HSM), LLC for a 16-year lease term to 2025. HSM is responsible for the supervision,
management, and routine maintenance and repairs of the facilities and parking lots. HSM is also
responsible to conduct at least 35 events per calendar year at each facility. Parks and Recreation
provides the agreement administration and management. Among the terms of the contracts is the
requirement that HSM will share 5% of annual gross revenue above $850,000 for the Sportsplex with
the City.
36
Observations and Recommendations
# 1: Revenue Under-reported
Rating: Low
Observation
The 2015 annual report of revenue generated at the Sportsplex did not include concession revenue and
revenue from a partnership, RUSH Soccer, totaling $242,890. Per the management agreements with
the contractor, the contractor is required to submit an itemized report setting forth the amount of all
gross revenue received by the contractor (Manager) for the previous calendar year and to be certified
by the chief financial officer or chief executive officer of the contractor as to the accuracy thereof. The
itemized report is to include concessions and any other revenue received by the contractor. As
revenues were far from the revenue sharing threshold levels ($850,000 for the Sportsplex), the revenue
reporting process was rather informal and sense of accuracy was not high. Therefore, the annual report
of revenue was incomplete and under-reported for the calendar year.
The management agreement requires concessions to be reported using the largest of 25% of actual
concession revenue or the projected concession revenue.
Recommendation
1.1 Develop a template for the contractor to use for submitting the annual itemized revenue report
that would include all revenue, especially concessions and sponsorships.
1.2 Review the annual itemized revenue report submitted by the contractor to ensure completeness
and reasonableness of amounts reported. Any discrepancies should be immediately resolved with
the contractor.
Action Plan
1.3 A template has been developed and communicated to the contractor requiring its use to submit
revenue reports including all revenue.
1.4 The Director of Parks and Recreation will review annually all revenue reports submitted by the
contractor.
Due Date
April 15, 2016
37
# 2: Reported Revenue does not meet Projected Revenue

Rating: Low
Observation
The revenue during the 2015 calendar year did not meet the projected revenue stated in the
management agreements with the contractor. The contractor stated that the combination of the
downturn in the economy and the departure of the City’s baseball team were some key factors
impacting revenues. As a result, revenue realized fell short of the revenue sharing threshold.
Recommendation
2.1 Continue to work with the contractor to ensure the Sportsplex facility realizes maximum revenue
potential.
Action Plan
2.1 A process is being developed to provide insight to how the contractor is being managed. A report
will be created to submit to the Director of Parks and Recreation for quarterly review.
Due Date
April 15, 2016
38
ABC Unlimited Internal Audit
Internal Audit report
29 April 2016
Treasury Function Audit
The audit covered the treasury function of ABC Unlimited. The scope included evaluating the following
processes: electronic bank account access administration, bank account reconciliation, bank and
general ledger accounts monitoring and reporting, daily borrowing requirements, and credit line
availability.
Process / assessment Treasury Function – Red
Background
The treasury function experienced an unusually high turn-over rate in FY2015. Treasury management
was not fully staffed which created a lack of segregation of duties.
Opinion
The audit was rated Red due to significant issues identified with the contract management process.
Additional opportunities for improvement were noted in management of bank account access and the
monthly bank reconciliation process.
We would like to thank management for its positive attitude and the support we received during our
work.
Summary of observations
Ref Title Criticality

A.1 Insufficient Contract Management Process Critical
A.2 Bank Account Access Controls Lacking Significant
A.3 Inadequate Bank Reconciliation Process Significant
Response
Francis Financial and Miguel Money should provide an update by 30 May 2016. The “Latest update” of
the response section should be completed for this purpose.
39
29 April 2016
OBSERVATIONS, RECOMMENDATIONS AND MANAGEMENT RESPONSE
Reference (A.1) Insufficient Contract Management Process
Criticality Critical
Observation
Formal documentation regarding the contract expiration tracking and renewal process, as
well as ABC Unlimited’s responsibilities with regard to this process, could not be provided at
the time of this audit.
While the credit line contract appears to have been renewed at the expiration of the
previous term, should those currently involved in the renewal process be unavailable for
future renewals, access to the company’s credit line through the bank could be at risk.
Recommendation
Management should formally document the process for tracking the credit line contract
expiration and renewal process through use of Standard Operating Procedure (SOP)
documents.
Appropriate personnel should be tasked with tracking contract expiration, coordinating

internal contract renewal processes, and maintaining and archiving documentation as
necessary. Additionally, it is recommended that SOPs be reviewed and updated at least
annually.
Planned action
In CY2017, the Company will be updating its Strategic Plan, which will be the catalyst and
framework for developing our strategic financial plan, which will define, among other things,
target capital structure, sources of capital, funding requirements over the next three years,
and the like. On this basis we will then engage the bank in advance (typically one year
ahead) of the expiration of our current facility, to begin planning for the marketing and
execution of our new facility.
Responsible Francis Financial, CFO
Target date 01 December 2016
Latest update
40
29 April 2016
Reference (A.2) Bank Account Access Controls Lacking
Criticality Significant
Observation
Control deficiencies were identified related to bank account access as follows:
Terminations of employment and position transfers for users with bank account access are
not communicated to bank account security administrators as 20.9% (9 out of 43) of users
with bank account access were terminated or transferred without adjustments being made
to their account access privileges. A user was also given access to generate reports for a
bank account the user had no business reason to access.
Additionally, it is not currently the practice of ABC Unlimited to recover the bank access
account tokens upon termination of employment or transfer to a new position. This
combination of factors could result in unauthorized access to company accounts as
terminated associates or associates transferring to new positions retain both the system
login credentials and bank access token required to access company accounts.
While the accounts where terminated or transferred associates retained access were not
accounts where company funds could be directly funneled outside the organization, those
with access could process unauthorized fund pulls from customer accounts. This could
result in losing customer accounts and reduced customer confidence in the organization.
Recommendation
Management should establish a process where Treasury is notified immediately when
associates with bank account access are terminated or transferred to new positions within
the organization. This will help reduce the risk of unauthorized account access and will aid
Treasury in maintaining bank access entitlements.
A review of the bank access entitlements of all users should be performed annually.
Planned action
Management agrees there needs to be greater communication between Treasury, Credit
and Human Resources to ensure that all employees with banking access are current
employees with roles in the AR/Credit area. Treasury will establish a one over one (preparer
and approver) control process to review current users on a quarterly basis and will establish
a practice of turning over their token ID to their supervisor at their respective location.
Responsible Miguel Money, Controller
Target date 30 June 2016
Latest update
41
29 April 2016
Reference (A.3) Inadequate Bank Reconciliation Process
Criticality Significant
Observation
Monthly reconciliations were not being completed regularly and completely.
Upon review of the bank account reconciliations, the following issues were noted:
• 75% (12 of the 16) reconciliations did not contain the date the reconciliation was
completed.
• 19% (3 of the 16) reconciliations contained only a screen print of account balances
but were not reconciled against bank data.
• 81% (13 of the 16) reconciliations were not reconciled one or more months within
the current fiscal year.
• 31% (5 of the 16) reconciliations contained unreconciled balances aged greater than
30 days.
By not completing monthly reconciliations regularly, inaccuracies, errors, fraud, or other

issues may go undetected.
It was also noted that the Manager Treasury Operations performs many of the
organization’s bank account reconciliations. Proper segregation includes separation of
custody, recording, and reconciliation responsibilities. As the Manager Treasury Operations
is the administrator for the organization’s bank accounts with direct access to company
funds, duties are not adequately segregated within the Treasury function (both custody and
reconciliation responsibilities).
Recommendation
Management should ensure reconciliations are performed each month and that reconciling
items are resolved within 30 days of being identified. This will help ensure that bank and
account accuracy is properly maintained.
The responsibilities of custody and reconciliation of company funds must be segregated.
This can be achieved by giving the bank account reconciliation responsibilities to an
associate without bank account access. Segregating these responsibilities will help ensure
that fraud risk is better controlled within the organization.
Planned action
Management agrees that monthly bank reconciliations as well as the resolution of any
outstanding issues are important in fraud prevention. A project is currently in process for the
42
29 April 2016
cash deposit accounts to better establish procedures and processes to ensure that the daily
cash applications result in a more timely and seamless reconciliation.
Management realizes the importance of segregation of duties in regard to the Manager of
Treasury reconciling accounts as well as having administrative rights over accounts.
However, given the number of people in the department with three of the four employees
being cash application employees, it is difficult to have true segregation of duties but more
of a preparer/reviewer process. Management recommends documenting the reconciliation
process and will train employees to perform reconciliations on the deposit accounts only. All
reconciliations will have a final review process performed and signed off and dated by the
Director of Financial Shared Services , as well as having all reconciling items and disputes
resolved within 30 - 45 business days after the end of the month.
Responsible Miguel Money, Controller
Target date 15 July 2016
Latest update
Staffing and timing
ABC Unlimited Audit Team:
Closing presentation: The closing presentation was held on 15 April 2016.
Distribution
Board members:
External auditors:
Francis Financial, CFO
Miguel Money, Controller
Susie Smarty, CAE
43
Authors/Contributors
Listed in alphabetical order:
Brad Ames, CRMA

Fabiano Castello, CIA, CCSA, CRMA
Despoina Chatzaga, CIA, CCSA, CFSA
Caroline M. Glynn, CIA
Judy Grobler, CIA, CRMA
Sara Lademan, CIA
Takuya Morita, CIA
Ranjit Singh, CRMA
44
About The IIA

The Institute of Internal Auditors (The IIA) is the internal audit profession’s most widely recognized advocate, educator,
and provider of standards, guidance, and certifications. Established in 1941, The IIA today serves more than 185,000
members from more than 170 countries and territories. The association’s global headquarters are in Altamonte
Springs, Fla. For more information, visit www.globaliia.org or www.theiia.org.
About Supplemental Guidance

Supplemental Guidance is part of The IIA’s International Professional Practices Framework (IPPF) and provides
additional recommended (non-mandatory) guidance for conducting internal audit activities. While supporting the
Standards, Supplemental Guidance is not intended to directly link to achievement of conformance with the Standards.
It is intended instead to address topical areas, as well as sector-specific issues, and it includes detailed processes and
procedures. This guidance is endorsed by The IIA through formal review and approval processes.
Practice Guides
Practice Guides are a type of Supplemental Guidance that provide detailed guidance for conducting internal
audit activities. They include detailed processes and procedures, such as tools and techniques, programs,
and step-by-step approaches, as well as examples of deliverables. As part of the IPPF Guidance,
conformance with Practice Guides is recommended (non-mandatory). Practice Guides are endorsed by The
IIA through formal review and approval processes.
A Global Technologies Audit Guide (GTAG) is a type of Practice Guide that is written in straightforward
business language to address a timely issue related to information technology management, control, or
security.
For other authoritative guidance materials provided by The IIA, please visit our website at
www.globaliia.org/standards-guidance or www.theiia.org/guidance.
Disclaimer
The IIA publishes this document for informational and educational purposes and is not intended to provide definitive
answers to specific individual circumstances. As such, is only intended to be used as a guide. The IIA recommends
that you always seek independent expert advice relating directly to any specific situation. The IIA accepts no
responsibility for anyone placing sole reliance on this guidance.
Copyright
Copyright ® 2016 The Institute of Internal Auditors.
For permission to reproduce, please contact guidance@theiia.org.
October 16
45
– Practice Guide
AUDITING
››
ANTI-BRIBERY AND
››
›› ANTI-CORRUPTION PROGRAMS
››
JUNE 2014
Table of Contents
Executive Summary..................................................................................................................1
Introduction.............................................................................................................................1
Global Landscape....................................................................................................................3
Effective Anti-bribery and Anti-corruption Programs and the Role of Internal Audit.................5
Risks, Red Flags, and Audit Activities....................................................................................11
Appendix 1: Comparison of Legislation in Select Countries....................................................17
Appendix 2: Internal Controls: Update Based on COSO Elements...........................................18
Appendix 3: Sample Audit Procedures....................................................................................18
Appendix 4: References..........................................................................................................20
www.globaliia.org/standards-guidance / iii
Executive Summary such as third-party relationships, gifts and entertainment,

political contributions, and procurement. Audit observa-
Increasing globalization, legal complexities, and the po- tions in these and other areas can be leveraged by the or-
tential for serious financial and reputational harm have ganization to prioritize its anti-bribery and anti-corruption
made the risks of bribery and corruption, and audits of initiatives as input to developing and sustaining a formal
anti-bribery and anti-corruption programs, top corporate anti-bribery and anti-corruption program.
issues. Auditing anti-bribery and anti-corruption programs
requires a team of auditors with collective skills, knowl- Auditing anti-bribery and anti-corruption programs re-
edge, and expertise in compliance, fraud, investigations, quires varying levels of collaboration and information
regulatory affairs, IT, finance, culture, and ethics. sharing with other governance functions such as regula-
tory compliance, external auditors, investigators, and the
On the global front, the U.S. Foreign Corrupt Practices governing board. Before getting started, the chief audit ex-
Act (FCPA) and the U.K. Bribery Act are examples of ecutive (CAE) or lead internal auditor should consult with
strict legal regulations, each with far-reaching interna- the organization’s general counsel or legal representative
tional implications. And evolving anti-bribery and anti- to gain a full understanding of potential legal implications
corruption legislation in China, Hong Kong, India, and of the audit scope, fieldwork, and findings.
other countries (see page 17) is further complicating the
matter. Private and public sector organizations are in-
creasing awareness of bribery and corruption exposures
Introduction
and fighting back through international accords, regional In 2009, The IIA released Internal Auditing and Fraud,
conventions, best practice guides, and information on per- a practice guide designed to increase internal auditors’
ceptions and instances of bribery and corruption. awareness of fraud and provide guidance on how to ad-
dress fraud risks on internal audit engagements. As de-
Anti-bribery and anti-corruption legislation has led to scribed in the practice guide, corruption is one of several
the development of organizational anti-bribery and anti- common fraud schemes and bribery is a form of corrup-
corruption programs with well-defined components, tion. This practice guide complements Internal Auditing
including tone at the top/governance structure, risk as- and Fraud by providing specific guidance for assessing the
sessment (including third-party due diligence), policies effectiveness of an organization’s system of internal con-
and procedures, communication and training, monitoring trol for bribery and corruption. Other related IIA guidance
and auditing, reports and investigations, enforcement and includes the following Practice Guides: Reliance by In-
sanctions, and reviews and updates. Internal auditors in ternal Audit on Other Assurance Providers and Auditing
organizations with formal anti-bribery and anti-corruption the Control Environment. As well, the IIA’s Audit Execu-
programs have the opportunity to assess the effectiveness tive Center has published a Knowledge Briefing entitled
of each component and how all of the components work Internal Auditing and the Foreign Corrupt Practices Act
together to deter, curtail and detect bribery and corrup- (membership required).
tion.
Business Significance
Internal auditors in organizations with non-existent or in-
formal anti-bribery and anti-corruption programs have the Organizations that ignore the potential impacts of bribery
opportunity to help their organizations establish a baseline and corruption do so with peril. Regardless of the country,
by identifying and investigating red flags in high-risk areas industry, or type of organization, global reach brings global
risk. Each region, government, and project has unique Standard 1220: Due Professional Care
complexities, variables, and opportunities for bribery and
1220.A1 – Internal auditors must exercise due profes-
corruption. However, risks have traditionally been greater
sional care by considering the:
for organizations in certain geographies and industries.
• Extent of work needed to achieve the engagement’s
Related Risks
objectives;
Bribery and corruption put businesses and governments
• Relative complexity, materiality, or significance of
at risk worldwide and affect organizations, private indi-
matters to which assurance procedures are applied;
viduals, and officials. Bribery and corruption are found
in private and public sector transactions and in dealings • Adequacy and effectiveness of governance, risk
between the two. In fact, bribery and corruption have be- management, and control processes;
come major issues in the public sector and are especially • Probability of significant errors, fraud, or noncompli-
worrisome when associated with government appoint- ance; and
ments. Bribery and corruption expose organizations to
• Cost of assurance in relation to potential benefits.
risks in achieving operations, reporting, and compliance
objectives, and may result in:
Standard 2060: Reporting to Senior
• Stifled market competition. Management and the Board
• The impediment of economic growth. The chief audit executive must report periodically to se-
• Barriers to improved standards of living. nior management and the board on the internal audit ac-
tivity’s purpose, authority, responsibility, and performance
• Compromised product quality.
relative to its plan. Reporting must also include significant
• Higher prices. risk exposures and control issues, including fraud risks,
• Diminished trust. governance issues, and other matters needed or requested
by senior management and the board.
• Discouragement of foreign direct investment.
Standard 2120: Risk Management
Related IIA Standards 2120.A2 – The internal audit activity must evaluate the
The International Professional Practices Framework potential for the occurrence of fraud and how the organi-
(IPPF) outlines the following International Standards for zation manages fraud risk.
the Professional Practice of Internal Auditing (Standards)
pertaining to fraud (inclusive of bribery and corruption). Standard 2210: Engagement Objectives
2210.A2 – Internal auditors must consider the probability
Standard 1200: Proficiency and Due of significant errors, fraud, noncompliance, and other ex-
Professional Care posures when developing the engagement objectives.
1210.A2 – Internal auditors must have sufficient knowl-
edge to evaluate the risk of fraud and the manner in which
it is managed by the organization, but are not expected to
have the expertise of a person whose primary responsibil-
ity is detecting and investigating fraud.
Definitions of Key Concepts

Board — the highest level of governing body charged with
Global Landscape
the responsibility to direct and/or oversee the activities Private and public sector organizations worldwide are re-
and management of the organization. Typically, this in- sponding to the risks of bribery and corruption. Responses
cludes an independent group of directors (e.g., a board of include:
directors, a supervisory board, or a board of governors or • International accords, where member countries em-
trustees). If such a group does not exist, the “board” may brace an agreed upon system of principles with the
refer to the head of the organization. “Board” may refer intent to enact them into law. The United Nations
to an audit committee to which the governing body has Convention against Corruption and The United
delegated certain functions (Standards). Nations Declaration against Corruption and Bribery
in International Commercial Transactions are two
Bribery — the offering, giving, receiving, or soliciting examples.
of anything of value to influence an outcome (Practice
• National laws.
Guide, Internal Auditing and Fraud).
• Codes of best practices.
Control — any action taken by management, the board, • Regional conventions where recognized agencies,
and other parties to manage risk and increase likelihood usually in regions with bribery and corruption prob-
that established objectives and goals will be achieved. lems, issue statements of intent.
Management plans, organizes, and directs the perfor-
• Public and private sector policy statements.
mance of sufficient actions to provide reasonable assur-
ance that objectives and goals will be achieved (Standards). • Non-profit organizations that catalog instances of
abuse, best practices, and government efforts to
Corruption — the misuse of entrusted power for private combat bribery and corruption.
gain (Practice Guide, Internal Auditing and Fraud).
Legislation
Fraud — any illegal act characterized by deceit, conceal-
ment, or violation of trust. These acts are not dependent Many developed countries have enacted legislation to
upon the threat of violence or physical force. Frauds are curb bribery and corruption. Other nations are consider-
perpetrated by parties and organizations to obtain money, ing new legislation or are in the process of adopting or
property, or services; to avoid payment or loss of services; updating current law. Appendix 1 provides comparative
or to secure personal or business advantage (Standards). legislative highlights for select countries.
Red Flag1 — a warning sign; a sign that there is a problem Several laws fundamentally affect how individuals work
that should be noticed or dealt with (Merriam-Webster. and many have international impacts. Two of the strict-
com). est legal regulations designed to combat bribery and
corruption include the FCPA and the U.K. Bribery Act.
Risk — the possibility of an event occurring that will have Transparency International (www.transparency.org) also
an impact on the achievement of objectives. Risk is mea- provides an overview of bribery and corruption legislation
sured in terms of impact and likelihood (Standards). and emerging changes.
By permission. From Merriam-Webster’s Collegiate® Dictionary, 11th Edition

1
©2014 by Merriam-Webster, Inc. (www.Merriam-Webster.com). www.globaliia.org/standards-guidance / 3

U.S. Foreign Corrupt Practices Act (FCPA) in breach of his or her duty to the government or organi-
The FCPA prohibits U.S. persons and businesses from zation that has employed or appointed the individual. An
making payments to foreign government officials or politi- occasion where such assistance might be sought would
cians to influence business dealings. The FCPA also in- be in relation to the award of an export contract where a
cludes accounting rules that require transparency through bribe might be used to influence the tendering process.
appropriate accounting records, and works in tandem The U.K. Bribery Act covers bribes paid to individuals
with anti-bribery provisions. who, although not holding an appointment in a relevant
organization or national government, are nevertheless able
The IIA Audit Executive Center Knowledge Briefing, In- to exert influence over such an appointee by reason of
ternal Auditing and the Foreign Corrupt Practices Act, some personal, business, or other relationship. It also cov-
provides direction on aspects of the law and highlights ers bribes paid in advance as an inducement to a person to
best practices for CAEs and boards in assessing FCPA act inappropriately or retrospectively pursuant to a previ-
risks. Some of these best practices include: ous promise, understanding, or agreement.
• Internal auditors making sure controls are properly The act creates offenses for:
designed, well established, and documented. • Bribery.
• Assessing FCPA risk areas by evaluating policies and • The act of being bribed.
procedures. • Bribing foreign public officials.
• Organizationwide compliance initiatives to develop • Failure of a commercial organization to prevent brib-
policies and procedures that identify corrupt prac- ery on its behalf.
tices.
These actions are illegal in or outside the U.K. if the
• Board members ensuring that the organization’s bribe was paid by anyone associated with a U.K. organi-
code of conduct and policies outline the steps zation.
needed to achieve FCPA compliance.
Other Legislation and Anti-bribery and Anti-

U.K. Bribery Act 2010 corruption Measures
The U.K. Bribery Act provides prosecutors and courts Anti-bribery and anti-corruption laws and initiatives exist
with a strong framework to address bribery in the U.K. and worldwide, but it is widely recognized that better laws,
abroad. It is considered wider in scope than the FCPA be- codes of practice, and enhanced enforcement actions are
cause it generally applies to the private and public sector. still needed. The following references provide information
Compared with the FCPA, the U.K. Bribery Act defines about the global scope of anti-bribery and anti-corruption
bribery more broadly and applies a liability standard for measures (as of June 2013).
failing to prevent payment of bribes to “associated per-
sons.” • Transparency International (www.transparency.org)
• The Organisation for Economic Co-operation and
The U.K. Bribery Act defines bribery as the receiving or
Development (OECD) Anti-Bribery Convention
offering/giving of any benefit by or to any public servant or
(1999) (www.oecd.org)
officeholder or to a director or employee of a private orga-
nization to induce that person to give improper assistance
• OECD — Country Reports on the Implementa-

tion of the OECD Anti-Bribery Convention and the Effective Anti-bribery and
1997 Revised Recommendation (www.oecd.org) Anti-corruption Programs and
• United Nations — Working Group on the Review of
Implementation (www.unodc.org)
the Role of Internal Audit
• United Nations — Global Compact (www.unglobal- A comprehensive anti-bribery and anti-corruption program
compact.org) should include entity-level, process-level, and transac-
tion-level controls. The hallmark components of effective
• World Bank — Department of Institutional Integrity
anti-bribery and anti-corruption programs include tone at
(www.worldbank.org)
the top, governance structure, risk assessment, policies
• World Bank Institute — Governance and Anti-Cor- and procedures, training and communication, monitoring
ruption (www.worldbank.org) and auditing, investigations and reports, enforcement and
• World Economic Forum — Partnering against Cor- sanctions, and reviews and updates. Internal audit’s role
ruption Forum (www.weforum.org) in anti-bribery and anti-corruption programs will depend
on the organization’s governance structure. Internal au-
• The African Union Convention on Preventing and
dit’s level of involvement should be recommended by the
Combating Corruption (July 2003)
CAE and approved by the board. Internal audit can play a
• The United Nations Convention against Corruption significant reinforcing role in the importance of anti-brib-
(entered into force in December 2005) ery and anti-corruption programs.
• China — Anti-corruption measures (including the
Criminal Law and the Anti-unfair Competition Law Internal audit should assess the effectiveness of anti-
and Interim Regulations on prohibiting business bribery and anti-corruption programs to help anticipate
bribery) the risk, and identify the existence of potential and actual
incidents. Two different, but complementary, approaches
• Hong Kong — The Prevention of Bribery Ordinance
that may be used exclusively or in conjunction with each
(POBO)
other include:
• India — The Prevention of Corruption Act 1988
(PCA) • Auditing each component of the anti-bribery and
• Indonesia — Various laws including the Good anti-corruption program.
Governance Law, Eradication of Criminal Acts of • Incorporating an assessment of anti-bribery and an-
Corruption, Commission for the Eradication of Cor- ti-corruption measures in all audits, as appropriate.
ruption (KPK Law), and the Corruption Tribunal In this approach, bribery and corruption risks should
(Corruption Tribunal Law) be incorporated into the risk assessment and scop-
• Japan — Several laws such as the National Public ing process of each audit. For example, a financial
Service Ethics Act and the Political Ethics Law audit may include a review of cash transactions and
a vendor management office audit might include a
• Singapore — The Prevention of Corruption Act
review of third-party due diligence practices. Each
(PCA); the Penal Code; and the Corruption, Drug
audit may:
Trafficking, and Other Serious Crimes (Confiscation
of Benefits) Act (CDSA) ›› Include procedures to assess bribery and corrup-
tion risks.
›› Evaluate bribery and corruption scenarios. Internal Audit’s Role

›› Evaluate the control environment and anti-bribery Internal audit should understand the attitude and tol-
and anti-corruption programs in that audit area. erance of the board and executive management toward
›› Link the scope of an area’s audit procedures to its bribery and corruption risks, assess whether that attitude
assessed risk. is sufficiently restrictive, and validate that this attitude
has been adequately communicated throughout the or-
Both approaches should utilize data analytics to look for
ganization. As such, internal audit should scrutinize the
red flags and obtain other audit evidence related to anti-
governance structure and the monitoring and oversight
bribery and anti-corruption programs1. Internal auditors
responsibilities related to anti-bribery and anti-corruption
emphasizing an established program approach may find
programs.
the guidance in this section particularly useful. Internal
auditors favoring an “all audits” approach may want to fo-
Sample Review Questions
cus on the next section, (Pg. 11) Risks, Red Flags, and Au-
diting Activities. However, both sections will likely prove For sample review questions and related guidance on au-
beneficial, regardless of approach. diting tone at the top and governance structure, see the
following IIA publications:
Tone at the Top/Governance Structure
• Practice Guide, Auditing the Control Environment.
Component Overview
• Practice Guide, Evaluating Ethics-related Programs
Effective risk mitigation starts with a strong tone at the top, and Activities.
setting the foundation for an overall compliance framework.
The tone at the top is the ethical environment fostered by • Practice Guide, Internal Auditing and Fraud.
organizational leadership and the single most important • Tone at the Top newsletters:
factor in determining the organization’s resistance to brib- ›› All Hands on Deck: Partnering to Fight Fraud
ery and corruption. No system of controls can provide abso- (December 2013).
lute assurance against the commission of bribery or corrup-
tion. The board should, however, require the organization ›› Shining a Light on Corruption (August 2012).
to develop comprehensive anti-bribery and anti-corruption
programs. Risk Assessment
Component Overview
Although each organization may have different methods for
A comprehensive risk assessment identifies and analyzes
establishing the right tone, a good starting point is to issue
bribery and corruption risks throughout the organization,
a code of conduct and an anti-bribery and anti-corruption
including all locations and types of business. The risk as-
policy endorsed by the board of directors. Once the board
sessment is a precondition for establishing the remaining
has clearly committed to a strong policy, the best approach
components of the anti-bribery and anti-corruption pro-
is zero tolerance and full compliance with anti-bribery and
gram. It is critically important to review present and poten-
anti-corruption laws. This is not just ethically right; there
tial bribery and corruption risks, and to develop mitigating
also is increased pressure for compliance from legislative
controls.
bodies and nongovernmental organizations.
Global Technology Audit Guide (GTAG®) 16: Data Analysis Technologies

1
Internal Audit’s Role Internal Audit’s Role

Internal audit should understand all aspects of manage- Internal audit should sample test whether policies and
ment’s existing anti-bribery and anti-corruption program procedures:
before performing risk assessments. And internal audit
should evaluate the inherent bribery and corruption risks • Are documented appropriately.
as part of its comprehensive risk assessment. As well, the • Are approved by appropriate management.
audit plan for assessing the effectiveness of anti-bribery
• Comply with applicable laws and regulations.
and anti-corruption programs should be risk based.
• Are implemented effectively.
1. Does the organization use business intelligence re- Sample Review Questions
sources to identify bribery and corruption risks when 1. Do the anti-bribery and anti-corruption program
exploring business opportunities in established and standards comply with applicable laws and regula-
emerging markets? tions?
2. Does the organization regularly conduct due dili- 2. Do policies and procedures address gifts and enter-
gence on third-party providers? tainment, meals and travel, charitable donations,
and facilitation payments?
3. Does the organization’s due diligence process meet
regulatory requirements for scope and thoroughness?
Communication and Training
4. Are third-party agreement approvals in place? Component Overview
5. Is there a history of lawsuits, fines, and penalties Effective anti-bribery and anti-corruption programs re-
related to bribery and corruption? quire careful and continuous communication and training
programs, updated to align with changing regulations and
Policies and Procedures evolving country norms. General training regarding what
Component Overview constitutes bribery and corruption, how it harms the or-
ganization, and how to report it should be provided to all
The organization’s anti-bribery and anti-corruption stan- members of the organization. In addition, customized train-
dards should be clearly defined in well-documented poli- ing should be provided by function or job responsibility to
cies. Detailed underlying procedures should explain how address specific bribery and corruption risks.
employees, business partners, and third parties should
behave, and clearly specify what behavior is unacceptable As an extension of training and communication, self-cer-
and noncompliant. Policies and procedures establish con- tification programs may further reduce risk. Various levels
straints and define and embed an organization’s attitudes of management periodically certify that they have not paid
and practices on fraud, bribery, and corruption. The poli- bribes and have no knowledge of other employees or service
cies and procedures should include protocols for third- providers having done so.
party dealings, payment processing, expense reporting,
and training. To safeguard against employee self-dealing,
best practice policies also address conduct outside of the
job and conflicts of interest.
Internal Audit’s Role 5. Do employees periodically certify that they are

compliant with anti-bribery and anti-corruption stan-
Internal audit should share information and work with
dards, and attest that they have no knowledge of any
other functions such as fraud investigation, legal coun-
incidence of bribery or corruption?
sel, compliance, and external audit. For example, South
Africa’s King Code of Governance makes this explicit by
Monitoring and Auditing
stating that the board should ensure there is an effective
risk-based internal audit function that can be a source of Component Overview
information about instances of fraud, bribery and corrup- Continuous monitoring activities and individual audits
tion, unethical behavior, and other irregularities. Also, in should be performed to:
some countries, information on irregularities and illegal
acts is required to be exchanged with external auditors • Ensure the effectiveness of anti-bribery and anti-
and/or a competent regulatory agency. corruption programs.
• Lower time to detection.
Some internal audit groups also play a key role in train-
• Support continuous improvement and follow
ing employees in anti-bribery and anti-corruption policies.
through on corrective action plans.
When visiting other geographical locations, internal au-
ditors may arrange meetings with employees to commu- Monitoring and auditing documentation also may provide
nicate the organization’s anti-bribery and anti-corruption evidence that the organization was proactive prior to the
message. Internal audit also may collaborate with legal discovery of misconduct.
and ethics teams on training and anti-bribery and anti-
corruption audits. During anti-bribery and anti-corruption Internal Audit’s Role
training sessions, trainers should reference the FCPA,
There can be a gap between the perception of bribery
the U.K. Bribery Act, Professional Guidance for Internal
and corruption risks on the ground, where an event would
Auditors on the U.K. Bribery Act 2010 (published by the
likely occur, and the more distant view at the board level.
Chartered Institute of Internal Auditors), and other rel-
This is especially true if effective risk assessments, analy-
evant legislation and guidance. Internal audit must con-
ses, and communication are lacking. Organizations should
sider, however, whether their training and/or communica-
establish effective monitoring systems that provide senior
tion activities could impair their objectivity in any manner.
executives and the board with periodic updates. However,
internal audit’s monitoring activities should not supplant
management’s monitoring role.
1. Is the organization aware of its exposure to global
bribery and corruption risks? Sample Review Questions
2. Is anti-bribery and anti-corruption training manda- 1. Does the organization have a formal process for
tory for all employees? monitoring the effectiveness of its anti-bribery and
anti-corruption programs?
3. Do employees fully understand the organization’s
principal anti-bribery and anti-corruption policies? 2. Is this process established to ensure objectivity?
4. Is training and communication tailored to the geo- 3. Is this process implemented properly?
graphical region, function, and job responsibility?
Investigations and Reports to understand the cultural and legal landscape of the op-
erational jurisdiction involved, and be thoroughly familiar
Component Overview
with local protocols for investigating and reporting. Inter-
Individuals at all levels should have support for resolving nal audit also should collaborate with the board and senior
ethical dilemmas and making appropriate decisions. An management to establish protocols for reporting suspect-
accessible, anonymous whistleblower hotline for reported or actual incidents of bribery and corruption.
ing suspected wrongdoing and seeking advice is crucial.
Where local law permits, organizations also should offer The need for an investigation may surface during the
a means to confidentially and/or anonymously report sus- course of an audit. If audit evidence indicates possible
pected bribery or corruption. irregularities, the internal auditor should:
It is the responsibility of the board to ensure that the or-
• Follow the reporting protocol and refer the matter
ganization has an effective process for confidential inves-
to the investigation group. If internal audit suspects
tigation. A consistent investigative process including pro-
that management is involved in the irregularity, it
tocols for gathering and evaluating information, assessing
should find the appropriate party to whom it can
potential wrongdoing, and administering penalties, may
report.
help mitigate loss and manage risk.
• Perform and document adequate actions to support
Investigators should have the authority and skills to evalu- the audit findings, conclusions, and recommenda-
ate allegations and take appropriate action. If an in-depth tions.
investigation is deemed appropriate, investigators should
If audit evidence points to an illegal act, the internal audi-
first secure approvals, as needed, from senior manage-
tor should seek legal advice directly or recommend that
ment, directors, legal counsel, and other appropriate
management do so. Internal audit should work with ap-
oversight bodies. In certain circumstances it also may be
propriate personnel, such as the fraud investigation unit,
necessary to make public disclosures to law enforcement,
and management (if possible, at a level above the parties
regulators, shareholders, the media, or others; however,
involved in the act) to determine whether an irregularity
this should only be done by those individuals deemed au-
or illegal act has occurred and gauge its effect.
thorized to do so on behalf of the organization.
Internal Audit’s Role
1. What controls are in place to respond to bribery and
Investigations
corruption matters before they become significant
The role of internal audit in investigating bribery and cor- issues?
ruption allegations depends on internal audit’s resources
and the organization’s governance structure. Consider- 2. Does the organization have formal, defined process-
ation should be given to the unit’s fraud, forensic, and IT es and protocols for investigating alleged bribery or
skills. Some organizations may require bribery and corrup- corruption?
tion investigations to be conducted under the supervision
of, and in coordination with, a special board committee, 3. Do the persons responsible for investigations have
regulatory body, the legal department, or other group. the requisite skills, experience, objectivity, and orga-
nizational independence?
The suspicion, discovery, and investigation of bribery and
corruption are sensitive matters. Internal auditors need
4. Does the organization have defined protocols for agement and the board, unless applicable regulations or
reporting alleged or confirmed bribery or corruption specific circumstances of the audit dictate otherwise. In
to the board or other authority? the public sector, some legal jurisdictions grant citizens
the right to access any and all organization documents.
Reports
According to Standard 2060, the CAE must report peri- The IIA’s Practice Guide, Internal Auditing and Fraud,
odically to senior management and the board on internal describes typical roles and responsibilities for fraud pre-
audit’s performance. These reports must cover significant vention and detection. The same roles apply to anti-brib-
risk exposures and control issues, including those relat- ery and anti-corruption. For example:
ed to fraud and governance. Reports also should include
bribery and corruption risks and exposures, potential vio- • Fraud investigators usually are responsible for the
lations, and estimated impact. detection and investigation of fraud and the recovery
of assets. They also perform a role in fraud and cor-
There may be resistance to reporting bribery and corrup- ruption prevention.
tion to the board. Management and legal counsel may • The fraud investigation unit and internal audit
downplay the wrongdoing or may ask the internal audi- should work closely together and be aware of each
tor to delay reporting until corrective actions are taken. other’s findings. Fraud investigators often also work
The internal auditor should clearly understand the board’s closely with legal counsel to bring legal action
communication requirements regarding bribery and cor- against perpetrators. The lead investigator usually
ruption, including escalation, information type, and fre- determines the resources needed for the investiga-
quency. According to IIA Standards, if in the CAE’s judg- tion and staffs the team accordingly. Internal audit
ment there is significant unmitigated risk, those risks can help in areas such as data analysis.
are to be communicated to management and then to the
board. In most organizations, the board will direct the in- • Laws of the jurisdiction often govern the role of in-
ternal auditor to report concerns in full and without delay. house legal counsel. House counsel generally acts
in the best interest of the organization and also is
External reporting may be a legal or regulatory obligation required to preserve attorney-client privilege.
of management, the individuals who detected the irregu-
larities, or both. Notwithstanding this external-facing re- • When auditing financial statements, external audi-
sponsibility, the internal auditor’s duty of confidentiality to tors have a responsibility to comply with profession-
the organization and professional ethics generally require al standards and to determine if there is reasonable
reporting the matter internally before doing so externally. assurance that the financial statements are free of
However, in certain circumstances, the internal auditor material misstatement. If there are evident misstate-
may be required to disclose an irregularity or illegal act. ments, the external auditors must ascertain whether
These circumstances could include compliance with legal they were caused by error or fraud.
or regulatory requirements. • When external auditors find evidence of irregulari-
ties and illegal acts, professional standards typically
When external reporting is required, the report should require that the matter be brought to the attention
generally be approved by legal counsel prior to external of an appropriate level of management. If senior
release. It also should be reviewed with audit client man- management is involved, the report normally goes
directly to those charged with oversight governance Review and Updates

(e.g., the board or audit committee).
Anti-bribery and anti-corruption programs require on-
• Employees can report suspicions of irregularities going monitoring of legal mandates. All components of
and illegal acts to an employee hotline, internal these programs should be updated as necessary to ensure
audit, or a member of management. To deter and alignment with changing regulations and evolving coun-
detect fraud and abuse, many experts believe an ap- try norms across all jurisdictions the organization operates
propriately monitored employee hotline is the single within.
most cost-effective tool for detecting irregularities
and illegal acts.
Risks, Red Flags, and Audit
Enforcement and Sanctions Activities
Component Overview Risks
Terminable bribery and corruption offenses should be Corruption and bribery expose organizations to a broad
clearly identified, and related sanctions should be explicit. range of risks to achieving established operations, report-
ing, and compliance objectives. Organizations should as-
Internal Audit’s Role sess the likelihood, impact, and vulnerability of each iden-
There should be a defined process that includes multiple tified risk. It should be noted that the impact of bribery
organizational disciplines to evaluate cases of bribery or and corruption on reputational risk may be severe even
corruption and implement sanctions according to a formal when financial impact is minimal — materiality may be
policy. irrelevant or secondary. Comprehensive controls are need-
ed to combat bribery and corruption risks. The develop-
Sample Review Questions ment of effective controls requires in-depth knowledge of
an organization’s internal and external operations.
1. Do employees and third-party providers (e.g., agents,
sales consultants, distributors, and vendors) comply
Risk Areas
with the code of business conduct regarding bribery
and corruption? Most bribery and corruption involves cash payments, hos-
pitality, gifts, travel, and employment. However, other in-
2. Do employees understand how anti-bribery and anti- ducements also come into play across many different areas
corruption program violations impact salary, promo- of the organization. High-risk areas for bribery and corrup-
tion, and continued employment? tion include geography and industry; hiring/employment;
third-party/vendor management; gifts, entertainment, and
3. Are cases of bribery or corruption evaluated objec- political contributions; procurement; sales; finance; IT;
tively and sanctions consistently implemented in upper management; and government relations.
accordance with policy?
Geography and Industry the organization’s policy regardless of the apparent per-
missiveness of a particular environment.
Risk Area Overview
Some countries or jurisdictions where organizations op- Hiring/Employment
erate in cash-based economies have a higher incidence
Risk Area Overview
of bribery and corruption. The local regulatory environ-
ment also impacts risks. Similarly, certain industries (e.g., The hiring process, including candidate background
construction/infrastructure) are more susceptible to brib- checks, is an important consideration for potential bribery
ery and corruption. It also is important to consider the and corruption. This is especially true in cases of mergers
respective industries of business partners and third-party and acquisitions.
relationships.
Red Flags
Through globalization, joint ventures, and partnerships, • Hiring employees with a history of wrongdoing.
organizations may set up operations in parts of the world
• Phantom employees.
where the ethical environment differs from that of the
home country or where the culture includes acts that Internal Audit Activities
would be considered bribery as an acceptable way to facil- • Review effectiveness of policies and practices for
itate business. Risks may be compounded if anti-bribery confirming that personnel considered for employ-
and anti-corruption policies are not clear, detailed, trans- ment in bribery-vulnerable roles do not have a his-
lated into local languages, and relevant to regional busi- tory of wrongdoing.
ness practices.
• Confirm existence of employees in the country/loca-
Red Flags tion.
• Operations in countries with a reputation for higher • Verify validity of employees.

risk of bribery or corruption.
• Activities with industries or specific organization’s Third-party/Vendor Management
that have a reputation for a higher risk of bribery or Risk Area Overview
corruption. Relationships with vendors, agents, lobbyists, contract
employees, consultants, and other intermediaries can be
Internal Audit Activities exploited by bribery schemes and often are at the heart of
Where a culture of bribery and corruption exists, internal corruption. Third parties that engage in bribery and cor-
auditors of the parent organization should evaluate each ruption expose the organization to compliance, financial,
situation, including those under joint venture/partnership, and reputational risks. See the section on procurement for
and discuss dilemmas with the board. additional related guidance.
When senior management does not support a bribery pol- Red Flags
icy and the organization is operating in a culture where • Unproductive or suspicious interviews with employ-
bribery and corruption are common, the line between ees, agents, and contractors.
what is and is not acceptable is likely to be blurred. The
• Close personal or familial relationships between
internal auditor should evaluate acts and actions against
employees and vendors.
• Lack of competitive bid processes for vendors or • Frequent or excessive charitable and political dona-
customers. tions.
• Use of agents or third parties to pay bribes. • Inadequate or vague gift/hospitality/entertainment
policies and/or guidelines.
• Review agent and other third-party selection and Internal Audit Activities
screening processes and due diligence practices. • Review appropriateness of entertainment and gift
• Review practices for staying current on third-party policies.
ownership and merger and acquisition activity. • Review payments related to travel, entertainment,
• Review policies for hiring and retaining agents and and gifts.
contractors and training them in anti-bribery and • Review approvals required for giving gifts.
anti-corruption programs. • Perform keyword searches on travel and expense
• Ensure that contracts specify the expectation of reports for inappropriate travel/gifts.
compliance with the code of conduct and anti-brib- • Review compliance with the charitable donations
ery and anti-corruption regulations. policy.
• Review contracts to ensure the existence of right-to- • Review payments to charitable and political organi-
audit clauses. zations.
• Review expenses reimbursed to third parties. Inter- • Consider relationships between charities and other
view third-party employees. parties (e.g., government officials and organization
• Evaluate use of agents and other third parties, con- management).
sidering reasonableness and necessity (i.e., whether • Confirm charities are bona fide organizations.
it is reasonable to use the third party chosen for the
specific task).
Procurement
Gifts, Entertainment, and Political Risk Area Overview
Contributions Procurement of high-value goods and services can be a
Risk Area Overview common area for corruption.
Travel, entertainment, and gifts given or received by the Red Flags

organization or the organization’s employees can be meth- • The existence of fictitious suppliers.
ods of bribery.
• Inappropriate acceptance of gifts, money, or enter-
Red Flags tainment expense payments in return for preferen-
• Excessive travel and entertainment expenses, espe- tial treatment to providers bidding for goods and
cially for entertaining government officials. services.
• Frequent or excessive entertainment and gifts • Conflicts of interest among members of assessment
provided to customers, suppliers, or government of- panels (for large procurements) and vendors submit-
ficials. ting the bids, including vendors related to govern-
ment officials.
• Purchasing in installments with the same supplier Red Flags

(i.e., provider) to avoid the organization’s authoriza- • Providing gifts, money, or entertainment to make a
tion levels and spending limits (structuring). deal, increase sales, or otherwise gain advantage.
• Extending contracts for excessive periods of time • Inadequate policy or guidelines detailing acceptable
without “testing the market” for better terms. gifts, hospitality, and entertainment expenses.
• Making a high-value purchase with a unique or • Making a deal with suppliers to fix prices or award a
exclusive supplier. sale or contract.
• Purchasing goods inconsistent with business needs, • New or recurring sales or long-term contracts with
including overpaying for services and products. the same government entity without proper bidding
• Inadequate spend data and vendor data or inconsis- and negotiations.
tent data across procurement related systems.
• Use of sole-sourced vendors not properly vetted,
including low compliance with corporate preferred • Review sales function expense reports and compli-
buying guidelines. ance with related policies and procedures.
• Inappropriate vendor creation and management and • Review appropriateness of entertainment and gift
multiple appearances of the same vendor within the policies, and related training and attendance records
master file. for sales personnel.
• Duplicate payments. • Review sales contract and agreement approvals,

terms, and conditions.
• Limited segregation of duties involving payments,
credits, and reconciliation of vendors and suppliers. • Review compliance with government contract and
agreement guidelines.
• Review controls over supplier selection and vendor Finance
setup. Risk Area Overview
• Review vendor setup in the payment system.
Most bribery involves disbursement of cash and the re-
• Review the competitive bid process. cording of that disbursement in the financial records.
• Test that goods and services are real and at market
Red Flags
prices.
• Payments of cash to facilitate deals and transactions.
• Conduct supplier visits and interview suppliers.
• Lack of supporting documentation for cash transac-
• Validate vendor addresses.
tions.
• Validate vendor companies via publicly available
• Lack of appropriate segregation of duties for control
records.
of cash, non-routine payments, or other transac-
tions.
Sales
• Lack of, or poor supporting documentation for,
Risk Area Overview
expense reports.
Bribery is one way certain sales contracts can be obtained.
• Cash used to pay bribes.
• The existence of off-balance-sheet bank accounts. IT

• Credit notes and rebates used as a method to pay Risk Area Overview
bribes.
The IT control environment is a crucial area, especially
• Bookkeeping records insufficient to identify bribery with regard to access controls and segregation of duties
schemes. for cash, and detection of unusual transactions.
• Increasing or frequent write-offs of accounts receiv-
Red Flags
able.
• Limited segregation of duties involving payments,
credits, and reconciliation of vendors and suppliers.
• Review end-to-end expense processing for check/
• Any procurement red flags related to the procure-
wire/EFT, petty cash, employee payroll, and employ-
ment or acquisition of IT infrastructure (see section
ee expense reimbursement.
on procurement).
• Review controls to establish bank accounts and
signature authorities. Internal Audit Activities
• Review bank reconciliation controls and perfor- • Review and test IT access controls related to vendor
mance of monthly reconciliations. management, accounts payable, and accounts re-
ceivable.
• Review controls over petty cash.
• Test transaction level controls for segregation of du-
• Review travel and entertainment payments and ties.
reimbursements, as these are common methods of
bribery. • Review the vendor master file for additions, dele-
tions, and changes.
• Review financial information, detailed accounts,
bank accounts, and payment records to identify any • See related section on procurement.
off-balance-sheet accounts usable for bribery pur-
poses. Upper Management
• Review controls and test transactions related to Risk Area Overview
credit notes and rebates.
Upper management has a pervasive impact on the risk of
• Confirm that the nature and amount of credit notes bribery or corruption through the culture it helps foster
and rebates are consistent with business practices. and its own activities.
• Review accounting policies and practices to assess
Red Flags
regulatory compliance.
• Complacency by management or the board toward
• Reconcile balances between subledger and general
bribery and corruption risk.
ledger.
• Inordinate attention to specific investigations by the
• Evaluate accounts to determine if parallel books are
management, who may be involved.
maintained in certain countries to disguise illegal or
irregular transactions. • Lack of a clear anti-bribery or anti-corruption policy.
• Lack of an objective process to investigate suspected
cases of bribery or corruption.
Internal Audit Activities Government Relations

• The internal auditor may be unsure how to handle Risk Area Overview
bribery and corruption issues involving executives in
In certain countries, significant interactions with govern-
the organization. Even just reporting such instances
ment agencies may pose higher risk or compliance costs.
to the organization or board can be a challenge. The
CAE may want to consult the general counsel. Red Flags
• If the CEO is not involved in these matters and the • Frequent government permit granting.
reporting line between the CEO and the CAE is
• Close personal relationships between employees
effective, there may not be any reporting difficulty.
and government personnel.
However, if the CEO may have been involved, spe-
cial care is required. • A historical record of government fines or penalties.
• The CAE should communicate the matter to inde- • Use of agents or third parties to develop business
pendent personnel such as board or audit commit- relationships in foreign countries.
tee members and the lead independent director. In • Inappropriate payments to government agencies.
certain jurisdictions it may be necessary to report to
• Events sponsored for public servants including trav-
the applicable regulatory agency. If senior executives
el, expense reimbursement, or entertainment (taking
are involved, the bribery or corruption that occurred
advantage of the function directly or indirectly).
should be considered substantial to reputational
risk, even if the infraction is relatively small or in- • High level of political contributions.
volves immaterial transactions. • Use of middlemen or consultants to facilitate fast
›› Some countries have set up governmental agen- track processing with government agencies or to get
cies for such reporting in the public sector. In- business.
ternal auditors in the public sector should report • Offers of gifts or favors to government employees
matters to such agencies, as required. and officials.
• If the senior executives are engaged in bribery or Internal Audit Activities
condone an inappropriate culture, internal audit will
need strong support from independent directors to • Review payments made to government agencies.
improve the organizational environment. • Review use of third parties for such payments.
• The organization may not have an anti-bribery • Validate original receipts and related amounts for
policy, or it may operate in a bribery-tolerant envi- government payments.
ronment. If so, the CAE should discuss the situa- • Review high-risk activities such as customs clear-
tion with the board to arrive at an appropriate course ance and granting of permits.
of action.
›› In some situations, organizations do not condone
bribery but seek to operate in countries where
such activities are prone to occur. Such practices
may result in facilitation payments and, therefore,
the CAE should discuss the associated risks with
legal counsel, the board or audit committee, and
senior management.
Appendix 1: Comparison of Legislation in Select Countries

Following is a summary comparison of legislation in select countries (as of December 2012).
PROVISIONS UNITED KINGDOM UNITED STATES (FCPA) AUSTRALIA (BRIBERY OF PEOPLE’S REPUBLIC OF
(BRIBERY ACT) FOREIGN OFFICIALS/SE- CHINA (PRC)
CRET COMMISSION)
Bribery of foreign public √ √ √ √
officials
Private-to-private bribery √ √ √
Receipt of bribe √ √
Intent Intent is required for sec- √ √ √

tion 1 and 2 offenses. No
“corrupt” or “improper”
intent is required for the
FPB offense.
Facilitation payments √ √
allowed
Promotional expenses √ √ √ √
allowed
Extraterritorial application √ √
Third parties √ √ √ √
Failure to keep accurate Covered by other √ √ √

books and records legislation.
Criminal penalties √ √ √ √
Perceived level of Uncertain, as Act is new High and growing High and growing High and growing
enforcement
√ indicates section applies
Appendix 2: Internal matters and their awareness of related policies and

procedures and internal audit’s role therein.
Controls: Update Based on
COSO Elements 3. Evaluate the control environment/entity-level con-
trols established by management.
COSO-recommended examples of anti-bribery and anti-
corruption controls include: 4. Through inquiry with management, obtain an under-
standing of:
• Corporate ethics and anti-corruption and anti-brib-
ery policies. • Anti-bribery and anti-corruption policies and proce-
dures.
• Provisions for compliance with anti-bribery regula-
tions included in contracts with third parties. • Third-party due diligence process.
• Anti-fraud and anti-corruption training provided to • Third-party agreement approval process.

employees. • End-to-end expense processing for check/wire/EFT,
• A whistleblower program. petty cash, employee payroll, and employee expense
reimbursement.
• Requiring employees to record events where they
had contact with government officials, political • Gift policies and procedures review process.
parties/officials, or political candidates and their • Meals and entertainment policies and procedures
families. review process.
• Enforcement of delegation-of-authority limits. • Related roles and responsibilities, segregation of
• Procurement policies and procedures and periodic duties, documentation requirements, predetermined
compliance reviews. thresholds, and delegation of authority.
• Political contributions approved by the board of • Donation policies and procedures review process.
directors. • Process for review of payment facilitation policies
• User access and segregation of incompatible duties and procedures.
controls. 5. On a sample basis, test policies and procedures over
the items stated in item 4 above and verify that:
Appendix 3: Sample Audit • Policies and procedures were documented appropri-
Procedures ately.
• Policies and procedures were approved by appropri-
1. Discuss whether the audit should be conducted
ate management.
under attorney-client privilege with the legal depart-
ment. • Policies and procedures were communicated to
staff.
2. Through inquiry with the board of directors and • Policies and procedures are in compliance with
executive management, obtain an understanding of FCPA regulations.
those groups’ role in anti-bribery and anti-corruption
6. Review and test the following, as applicable:
• Tone at the top/Governance structure – Investigation and sanction procedures.

›› Leadership and support of the board, the CEO, – Use of third parties and related controls.
and senior executives. – Training programs for employees and ven-
›› Consistent communication, support, and enforce- dors.
ment of program to establish credibility. ›› Ensure controls contemplate risks of override,
›› Anti- bribery and anti-corruption program with circumvention, and collusion.
an organizational structure and formal decision- ›› Tailor controls to local environment and business
making processes. models.
›› Whistleblower hotlines, employee help lines, and • Monitoring
topical guidance to support employees in chal-
›› Design monitoring and auditing procedures
lenging situations.
around risk factors and indicators.
›› Regular exception reports to the CEO and the
›› Periodically evaluate program effectiveness by
board.
performing internal audits.
• Risk assessment
›› Survey employees’ understanding of the program.
›› Use cross-functional teams (e.g., business unit,
finance, internal audit, compliance, legal) to ›› Constantly incorporate monitoring results into the
establish credibility and consistency. program design.
›› Identify risk factors, schemes, and scenarios at a • Response and remediation

business-process level. ›› Establish formal process for initiating, tracking,
investigating, resolving, and documenting allega-
›› Assess the likelihood and impact of risks.
tions.
›› Tailor assessment to local incentives, pressures,
›› Identify and remedy control weaknesses that led
opportunities, and attitudes.
to corrupt activities.
›› Evaluate and prioritize key risks.
›› Consistently enforce sanctions across organiza-
• Program design and control activities tional units and levels.
›› Focus on design and implementation of controls ›› Monitor communications regarding anti-bribery
for key risks identified in the risk assessment. and anti-corruption compliance received by the
›› Typical policies and controls to consider: board of directors and executive management.
– Facilitation payments. 7. Based on additional information gained, determine
– Gifts, hospitality, and entertainment. whether any additional test procedures should be
designed and performed. If an investigation is re-
– Use of agents and other intermediaries. quired, seek guidance from a specialist.
– Political and charitable contributions.
– Acquisition due diligence.
– Joint ventures or similar relationships.
– Recordkeeping requirements.
Appendix 4: References The authors consulted Fraud and Corruption — Preven-

tion and Detection, by Nigel Iyer and Martin Samociuk,
when writing parts of this practice guide.
Following are references that would be useful to internal
auditors in understanding the bribery and corruption sce-
nario and building an appropriate strategy. Authors
• Transparency International • Princy Jain, CIA, CCSA, CRMA
• The Organisation for Economic Co-operation and • Richard Schmidt, CIA

Development (OECD) and OECD’s Anti-bribery • Andrew Macleod, CIA, CRMA
Convention (1999) • Teis Stokka, CIA, CRMA
• United Nations Convention against Corruption • Carlos Renato, CIA, CCSA
• United Nations Declaration against Corruption and • Takeshi Shimizu, CIA, CCSA, CRMA
Bribery in International Commercial Transactions
• Andy Robertson
• The African Union Convention on Preventing and
Combating Corruption
• The King Code of Governance for South Africa Reviewers
• The U.S. Federal Sentencing Guidelines • Douglas J. Anderson, CIA, CRMA
• A Resource Guide to the U.S. Foreign Corrupt • Steve Jameson, CIA, CFSA, CCSA, CRMA
Practices Act (by the Criminal Division of the U.S.
• David Zechnich, CIA, CRMA
Department of Justice and the Enforcement Division
of the U.S. Securities and Exchange Commission) • Stephen Linden
• The IIA’s Audit Executive Center 2010 Knowledge
Briefing, Internal Auditing and the Foreign Corrupt
Practices Act
• The Chartered Institute of Internal Auditors’ Profes-
sional Guidance for Internal Auditors on the U.K.
Bribery Act 2010
• Transparency International’s 2010 U.K. Bribery Act
Adequate Procedure (guidance on good practice
procedures for corporate anti-bribery programs)
• IIA Practice Guide, Evaluating Ethics-related Pro-
grams and Activities
• IIA Practice Guide, Coordinating Risk Management
and Assurance
• The IIA’s Global Technology Audit Guide (GTAG®)
16: Data Analysis Technologies
guidance.
GLOBAL HEADQUARTERS T: +1-407-937-1111

247 Maitland Ave. F: +1-407-937-1101
140590
Auditing Executive
Compensation
and Benefits
April 2010
Table of Contents
Introduction................................................................................................................. 1
Executive Summary..................................................................................................... 1
Definition and Structure.............................................................................................. 1
Risks .......................................................................................................................... 2
Employment Market Risk . .................................................................................. 2
Compliance Risk ................................................................................................ 2
Financial Reporting Risk .................................................................................... 2
Reputation Risk ................................................................................................. 3
Operating Risk ................................................................................................... 3
External Business Relationships ........................................................................ 3
Audit Approach ........................................................................................................... 3
Auditing Board Compensation and Benefits........................................................ 4
Auditing External Business Relationships .......................................................... 5
Audit Considerations .................................................................................................. 5
Access to Information ........................................................................................ 5
Privilege ............................................................................................................. 5
Skills and Knowledge ......................................................................................... 5
Audit Program Development ....................................................................................... 6
Board of Directors and Committees ................................................................... 6
Management ...................................................................................................... 8
External Business Relationships ...................................................................... 10
Appendix A – Types of Executive Compensation and Benefits .................................. 12
Introduction are several specific risks internal auditors should consid-

er, including employment market, compliance, financial
Executive compensation and benefits (ECB) programs reporting, reputation, operating, and external business
have risks that require effective board governance (direc- relationship risks. ECB programs also are subject to fraud
tion and oversight) and management (development, mon- risk.
itoring, and administration) processes. Internal auditors
have an important role in providing assurance that ap- Due to the sensitive nature of this area, internal auditing
propriate and effective controls are in place around ECB must have an appropriate audit approach and access to
programs. the necessary information. While there can be obstacles
to obtaining this information, internal audit needs to
Auditing the structure and operation of ECB programs is proceed in accordance with its charter.
a legitimate and appropriate role for internal auditing. If a
risk assessment indicates a review is warranted, the chief The audit scope could include a focus on the board, man-
audit executive (CAE) should add ECB to the audit plan, agement, and extended business relationships.1 There are
which the board will review and approve. Internal audit- a number of unique aspects in audits of each of these
ing will choose the audit approach and design risk-based areas of focus which should be considered before per-
audit procedures. forming audit work.
This practice guide is not intended to address all the con-

siderations necessary for performing an audit of ECB.
Definition and Structure
It provides discussions relating to such an audit and in- Compensation and benefits are the aggregate of various
cludes several considerations that may be relevant to an payments, reimbursements, and personal use of assets
organization’s business activities or risk profile. that are a benefit to the employee and a cost to the organi-
zation. The cost can be direct costs for the benefits, or in-
The International Professional Practices Framework’s cremental costs, such as administration. The components
(IPPF’s) International Standards for the Professional Prac- of ECB vary among organizations; significant differences
tice of Internal Auditing (Standards) include attribute and may exist among organization types (publicly or privately
performance standards pertaining to activities of internal held, government, not-for profit, etc.) sizes, and locations.
audit, including audits of ECB programs. This practice Components of ECB include salary, bonuses, perquisites
guide assumes conformance with the standards for all au- (fringe benefits), equities, and some reimbursable busi-
dit work and discusses how the execution of such audit ness expenses. For additional discussion and examples,
work could be performed. refer to Appendix A.
Executive Summary Boards2 review and approve compensation strategies to

attract and retain appropriate leadership for the organi-
Strong governance systems are needed for ECB pro- zation, while managing stakeholder expectations for cost
grams, as management often is in the position of both de- management and alignment of compensation with the or-
signing and recommending its own compensation. There ganization’s performance.
1
External business relationships include suppliers, customers, and partners. For more guidance, refer to the IIA Practice Guide “Auditing External Business Relationships.”
2
A board is a governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees or a non-profit organization, or any other
designated body of the organization. For this guide, board may also refer to committees of the board.
Management is often in the position of designing and rec- • It fails to design controls.
ommending its own compensation programs, as well as • The processes for gathering and reporting regulatory
board compensation programs. Strong board governance required ECB data is not reliable (accurate, com-
systems are needed to manage the inherent conflict of in- plete, timely, etc.).
terest and potential for collusion.
• Management intentionally or unwittingly designs
processes that fail to apply regulations appropriately,
Many organizations outsource compensation and benefit
such as employment benefits, income tax regula-
services, such as pensions, medical and insurance ben-
tions, or accounting standards.
efits, financial and tax planning services, recruitment, and
outplacement. Some may outsource processing functions, The organization may fail to comply with its policies and
such as payroll and accounting. Outsourcing adds ad- procedures if:
ditional complexity and risk over monitoring of controls • Executives make illegal or unethical decisions to gen-
and creates a challenge when trying to understand the full erate more personal benefits than those approved.
spectrum of controls in place.
• The board fails to act responsibly in meeting its
governance role.
Risks • The organization may fail to comply with contractual
ECB exposes organizations to several risks. The board and or other legal obligations if:
management have ultimate responsibility for assessing • It does not generate sufficient resources to pay
and managing these risks. for agreed-upon severance and post-retirement
benefits, or if such resources are not appropriately
The CAE should understand and assess these risks to de- safeguarded.
termine the need for an audit and for planning, scoping, • Processes are not designed to manage customer
and resourcing. Some of the risks identified herein may or joint venture billing requirements. For ex-
cover more than one risk category, and many are also eth- ample, some contracts may stipulate what types
ics/fraud risks.3 or percentages of compensation and benefits are
chargeable, and such terms and conditions may
Employment Market Risk differ among customers and partners.
If the ECB is not competitive in the employment market,
the organization may fail to attract or retain individuals Financial Reporting Risk
with the necessary and desired qualifications to fill key The organization may:
roles. The organization could fail to achieve its goals and
objectives due to weak leadership. • Misclassify or hide over-generous, illegal, or unethi-
cal ECB, which could also lead to failure to disclose
Compliance Risk (compliance risk).
The organization may fail to comply with laws and regula- • Misclassify or misreport financial or operating data
tions if: to create the illusion that goals were reached (to
qualify for bonus payments or to improve/retain the
• It does not know or understand the applicable laws market value of equities, for example).
and regulations. • Report incorrect valuations or inappropriate es-
For more information, refer to the IIA publication “Managing the Business Risk of Fraud, a Practical Guide.” The document also discusses governance and audit procedures relevant to
3
this topic.
timates and accruals due to poor accounting and poorly designed and fails to motivate executives.
disclosure controls. • Fail to optimize costs (and meet shareholder expec-
tations) if the ECB is not linked to organizational
Reputation Risk performance, both short and long term. However,
The organization may: linking excessive portions of compensation to per-
• Create internal morale issues if executives are eli- formance may encourage fraud or other illegal or
gible for inequitable or unreasonable ECB. unethical behavior. An excessive portion of com-
• Fail to effectively develop, communicate, and de- pensation linked to short-term performance targets
fend the ECB strategies, exposing the organization increases this risk.
to challenges by shareholders, employees, media, • Fail to optimize costs if the full financial impact is
government, and other stakeholders. Stakeholders not considered when developing ECB strategies. For
value transparency and organizations that accept example, some benefits may be attractive to execu-
accountability for their decisions. An organization’s tives but may not be deductible expenses when
reputation can be negatively impacted if stakeholders calculating the organization’s income taxes, or may
perceive the ECB programs are rewarding failure or not be recoverable as part of ‘overhead rates’ from
socially unacceptable behavior, especially when the customers. Increases to ECB in response to tight
organization is government funded or not-for-profit. employment markets may also not be removable
The organization should screen its strategies and once market conditions improve.
communications periodically to consider social and • Encourage behavior that is inconsistent with the in-
economic factors. terests of relevant stakeholders (e.g., bonus practices
may reward excessive risk taking or, alternatively,
Operating Risk create a culture that does not innovate).
The organization may:
• Introduce a high opportunity for error or fraud External Business Relationships
through the design of complex ECB programs. ECB The organization may fail to:
programs may have high inherent risk where they • Adequately provide for control requirements in
involve many systems and departments, in-house and contracts with outsourced service providers, such as
third party administrators, and/or are highly regu- those that process payroll, pensions, etc.
lated. A complex legal structure in the organization is
often associated with a more complex EC structure • Monitor controls over information administered by
which increases inherent risk of error. outsourced service providers.
• Fail to design appropriate governance processes and

internal controls, resulting in inadequate feedback
and oversight to improve processes, inadequate Audit Approach
controls over inherent conflicts of interest in board
compensation and executive compensation, or pres- The CAE’s decision to perform an audit, the approach,
sures leading to management override of controls. scope, and sample size, should be based on a risk assess-
ment of the subject, including the inherent risk of the pro-
• Fail to achieve its goals and objectives if the ECB is
cesses and potential consequences.
Internal auditing should determine whether ECB will assessed and subject to separate audits.5 Internal auditing
be scoped as one audit or a series of audits. The audit(s) should consider the results of these audits when planning
could be further refined into reviews at subsidiary or divi- the ECB audit program. If these functions are not audited
sion levels; reviews of board compensation and benefits independently, additional testing may need to be done, in-
and executive compensation and benefits; and reviews of cluding testing of relevant general information technology
processes administered by the organization and those ad- (IT) and application controls.
ministered by outsourced service providers.
In some organizations, the board or management requests
If internal auditing typically conducts audits of depart- that internal auditing conduct specific tests on ECB re-
ments rather than processes or subjects, proposing an lated issues, such as an annual audit of executive expense
ECB audit would be different from the usual approach accounts. With the knowledge gained from a risk assess-
because it crosses departments and requires the coopera- ment or ECB audit, the CAE could consider approaching
tion of many department heads. The CAE could choose the board with a plan that would replace the annual audit
to break down the subject into departments, such as hu- with a higher risk process, expand on the audit, or rotate
man resources (HR), payroll, legal, accounts payable, two or three key processes, to optimize risk assurance and
etc., so that each audit would cover the issues required audit resources
to ultimately form an opinion at the macro level.4 Audit
recommendations may also require the involvement of The CAE also could approach an evaluation of ECB as a
many departments and, if significant, may require CEO consulting engagement, e.g., as a proactive review of ECB
acceptance. The CAE should anticipate challenges and to identify whether there are any issues that may be con-
consider this deviation from the norm in the audit plan. trol weaknesses, embarrassing, or controversial. Because
ECB issues are often sensitive and developed at a senior
There might be some concern from members of manage- level, facilitating a control self-assessment by manage-
ment or the board if internal auditing will be evaluating ment is not an optimum approach.
board governance of ECB and it has never audited board
processes before. However, board governance is a signifi- Auditing Board Compensation and Benefits
cant control factor in ECB and usually is included in the Management may develop recommendations for board
audit scope. The CAE may choose to conduct two audits, compensation and benefit programs, creating an oppor-
one of the board processes and one of management pro- tunity for collusion or conflict of interest in board com-
cesses, before forming an opinion. Another approach is to pensation. The CAE determines whether to include board
review the board processes as a consulting engagement compensation and benefits in the audit scope, and wheth-
rather than as an audit. er to test for board member use of assets and receipt of
payments. This determination should be consistent with
Generally, an audit of ECB is a subset of the employee the charter of the internal audit activity. If the audit scope
compensation and benefit programs audit and is not a includes the board, audit tests could include board mem-
comprehensive audit of all the systems used to admin- ber names wherever the considerations included in the
ister and account for ECB. This guide assumes that the Audit Program Development section of this guide men-
payroll, accounts payable, banking, etc. functions are risk tion “executives and their families.”
For more information on forming opinions, refer to the IIA Practice Guide “Formulating and Expressing Internal Audit Opinions.”
4
The results of those audits may impact the reliability of the data used in an audit of ECB.
5
If management applies pressure to internal auditing re- Regardless of executive and board support, auditors may
garding the audit work program and results, the CAE can encounter some resistance from personnel in the HR or
seek support from the board. payroll functions. Part of their responsibility is to ensure
confidentiality and they may try to restrict the auditors.
Auditing External Business Relationships Their level of concern is usually greater when dealing with
If internal auditing has never audited external business information about executives or pending program changes
relationships, and the risk assessment indicates that an that have not yet been approved or announced. Auditors
audit is warranted, the CAE needs to determine whether need not be intimidated or frustrated by this issue, rath-
the organization has the right to audit under the contract er they should be aware of, and respect, these concerns,
and ensure that an appropriate audit reporting process is while still getting the job done. Auditors can help these
developed.6 personnel understand the internal audit activity, the scope
of access, the auditor’s professionalism, and how the in-
Audit Considerations formation will be used and protected. Being responsive
to concerns may help reduce conflict and may require
Executive and board compensation is often subject to being innovative in the audit approach or practices. For
public disclosure requirements, accounting standards, example, the audit team might use senior level staff, such
and external auditing. This should be factored into the as audit managers, to perform some of the more sensitive
nature of work performed. For example, the external audi- tests, such as review of board materials.
tors may have reviewed the completeness and accuracy of
reported benefits but not reviewed the controls for ensur- Privilege
ing appropriateness of those benefits. In some countries, certain organizations have the right to
invoke privileged communication between the organiza-
If the board has not approved an audit of ECB as part of tion and its legal counsel. Management or the board might
the annual audit plan, the CAE should obtain such ap- invoke this right, and the CAE may be directed to conduct
provals and buy-in to the scope before beginning. This the audit and communicate results in conformance with
action provides the CAE with the support necessary for legal requirements. To comply, the CAE must understand
such a sensitive topic and reduces impediments to the au- how legal privilege applies to the organization and to in-
dit process. ternal audit work.
Access to Information The CAE should consider the liability risk associated with
If there is no internal audit charter, or if the charter is not the audit, such as when an audit is initiated in conjunc-
clear about access to records, facilities, and personnel, the tion with a fraud investigation. The CAE should consult
CAE could use some of the risk, control, and governance with legal counsel before beginning such an audit, as this
factors identified in this guidance to convince the board situation may be cause for invoking privilege.
and management of the value of such an audit and to gain
cooperation regarding full access.7 The CAE may request Skills and Knowledge
that the chairman of the board and the CEO issue a mem- Due to the sensitive nature of ECB, and the senior level
orandum to the relevant board members and department personnel involved, auditors should be discreet, tactful,
heads stating their support for the audit and encouraging and confident. Generally a more experienced, senior-level
cooperation from all parties. auditor is part of the team.
For more information, refer to IIA guidance “Auditing External Business Relationships.”
6
Refer to the International Professional Practices Framework Standards and Practice Advisories relating to key elements of an internal audit charter to effectively establish or modify a
7
charter for your organization.
ECB transactions in most organizations are recorded in • Is there enough information provided, with
electronic systems applications. Extracting and analyzing enough time to deliberate and ask questions be-
data and crosschecking between databases usually require fore making decisions? Is the information com-
the audit team to have IT skills and to use computer-as- plete and accurate?
sisted audit techniques. • Are the board members qualified, and do they
have independent,8 qualified advisers to help
Audit Program Development them make appropriate ECB decisions?
• Is the board seeing the full scope of ECB, or just
This section includes various concepts, potential tests,
a few elements (such as base salary and annual
and questions to help auditors create an audit program. It
cash incentive awards, without considering long-
is not a comprehensive list, nor should all of these consid-
term equity awards)?
erations be tested. As always, the risk assessment should
lead to development of an appropriate program. • Is the information system used for gathering and
summarizing information reliable?
Board of Directors and Committees • Are the organization’s programs benchmarked?
A critical board role related to ECB is to balance the in- Are the appropriate industries/competitors select-
terests of shareholders (risk management and fiduciary ed for benchmarking? Is benchmarking causing
responsibility) with those of management (who desire to unintended consequences such as a bidding war
be paid well commensurate with work performed). The or “competition of egos”?
board needs to approve a strategy that balances short- and
• Does the board understand the organization’s
long-term goals and attracts, retains, and motivates people
required disclosures and disclosure controls, and
to achieve those goals in an ethical culture. The board
does it approve disclosure of ECB?
is also responsible for managing the other ECB risks rel-
evant to the organization and managing the expectations • Does the board review and approve all relevant
of other stakeholders. aspects of the pension, profit sharing, and simi-
lar funds (e.g., fund managers, fund investment
The conflict of interest risk in ECB warrants board re- strategies, audits, disclosures, and valuations)?
sponsibility for risk assessment, approval, and monitoring. • Does the board receive and discuss results of
Most organizations use a board committee — the com- ECB audits by regulators or customers? Is the
pensation or HR committee — to perform this role. Many board reacting appropriately to such information?
organizations structure such a committee to be indepen-
dent from management, with the right to retain outside • Is there evidence of approvals for new ECB
advisers (legal or subject matter experts) to assist in evalu- programs and for material changes? Are board
ating strategies and programs. approvals made in compliance with bylaws and
granted authorities?
When designing audit procedures appropriate for the or- • How are board compensation and benefits de-
ganization and scope, there are several considerations. termined? Are independent and qualified advis-
ers used? Are board compensation and benefits
1. Board and committee terms of reference, minutes, programs benchmarked? Are they aligned with
agendas and information packages relevant to ECB. performance results?
Consider the volume, value, and types of other consulting work done for the organization by the advisory firm when evaluating the adviser’s independence.
8
2. Board self-assessment surveys and results (consider- • Has the board articulated its ECB strategies and
ing the impact of the responses in relation to ECB objectives? Are the strategies designed to motivate
governance). appropriate behaviors? Is the board monitoring
results? Would the strategies be deemed appropri-
• Is the board satisfied with its processes? With
ate by media, the public, or other stakeholders?
management information? With its indepen-
dence? With its use of external advisers? • How does the board deal with special circum-
stances? For example, if share market price is
3. Board performance evaluations of the CEO and
an element of the bonus program, it is generally
other executives.
assumed that management can impact the value
• Is it a reasonable process, and is it done fre- of the organization, and therefore the share price.
quently enough? Is there a balance of short- and But is the bonus program re-evaluated when
long-term objectives? Are the compensation and significant market swings occur (either up or
benefit awards aligned with organizational and down) that management cannot influence? Does
individual performance? Are all appropriate per- the ECB consider change of control (mergers and
formance criteria included? acquisitions, majority ownership, or significant
change in board membership)?
• Is the board reviewing the performance evalua-
tions and subsequent compensation and benefits • What is the strategy related to post-employment
that the CEO awards to his or her subordinates? benefits and severance (e.g., golden handshakes
or golden parachutes)?
4. Key employee retention plans.
• Does the ECB strategy balance the tangible
• Is the board considering the impact of ECB on (money, assets) with the intangible (culture, op-
key employees identified in the retention and suc- portunities, monitoring, status, mission) to attract
cession plans? and retain appropriate personnel?
5. Employment contracts and termination agreements. • Is the board aware of, and satisfied with, how
much HR and payroll costs (direct and adminis-
• Has the board signed any employment contracts
trative) are expended on behalf of executives and
with the CEO or other executives? Did the board
how much for other employees?
obtain independent legal counsel?
• What is the strategy for offering allowances,
• Have the terms and conditions been integrated
rather than reimbursement of expenses? Is it
into the board’s risk discussions? Have they been
reasonable and cost-effective?
disclosed appropriately? Have they been account-
ed for appropriately? • How does ECB fit into the organization’s risk as-
sessment, and what controls have been adopted
• Does the board review employment contracts
to ensure success?
signed by the CEO for other executive positions?
Along with reviewing documents, the internal auditors
• Do termination agreements appear to reward
can gather information by surveying the board and com-
failure (e.g., severance paid to “keep quiet” or
mittee members and/or interviewing them.
bonuses paid when results are poor)?
6. ECB strategies and objectives.
Management • Do they cover post-retirement ECB (e.g., medical

There are a significant number of management responsi- and pensions)?
bilities involved in developing, administering, and moni- 2. Payroll.
toring executive compensation, so reasonable attention
is required when planning and scoping the audit. For ex- • Are the salary and benefits complete and accurate
ample, a simple objective, such as “Is the organization in (e.g., approved programs and increases/awards)?
compliance with disclosure regulations?” requires review • Are classifications, computations, withholding,
of many systems, such as payroll, accounts payable, cost remittances, and filings compliant with regulatory
center accounts, board processes, contracts, and regula- and contractual requirements?
tory filings and may extend beyond the organization into
• Do IT controls prevent unauthorized changes?
external business relationships.
3. Accounts Payable.
Internal auditors need to evaluate their organization,
• Are expense accounts in compliance with com-
regulated compensation and benefits for their operating
pany policies, regulatory requirement, and con-
locations, and employment contracts for examples of po-
tractual obligations?
tential ECB to be scoped into their audit programs. Any
departments that could pay, reimburse, or pay suppliers • Can the vendor master be compared with the
on behalf of executives and their families, as well as those check register for payments made to executives or
departments that manage company assets, might be in- their family members (e.g., address matching)?
cluded in the scope. • Do IT controls prevent unauthorized changes?
There are several considerations when designing audit • Are expense accounts of executive assistants
procedures appropriate for the organization. unreasonable, or are the executive’s expenses
claimed by the assistant and approved by the
1. Compensation policies and procedures. executive?
• Can accounts payable and treasury records be
• Have they been approved by the board? Have crosschecked with addresses from HR for pay-
they changed, and are the changes significant? ments sent to executives or their family (for ac-
Are they aligned with other board and manage- tive, retired, and terminated employees)?
ment strategies? Are all compensation programs
aligned within the organization, consistently re- • Can the “ship to” addresses from purchase orders
warding or penalizing similar behavior or actions? be crosschecked with employee addresses?
• Are they administered effectively and applied 4. Corporate treasurer or finance function.
consistently and fairly by managers? • Are cash advances or petty cash reimbursements
• Are proportions of short- and long-term, fixed and to executives or family members used appro-
variable (at risk), legally required benefits versus priately? Are advances cleared appropriately, in
optional, cash/non-cash reasonable? Are they compliance with policies and procedures?
competitive in the market? Are they consistent • Have wire transfers to executives, their families,
with industry standards? and organizations commonly known to supply
perquisites (e.g., for vehicle repairs, golf or enter- Year,” news clippings regarding ECB, etc.?
tainment facilities, clubs, transportation, and gift • Do payments from executive programs appear to
shops) been accounted for appropriately? reward failure —for example, a bonus paid to an
• Have share transfers to executives and family executive for achieving targets through significant
members been controlled appropriately? Are lay-offs or facility shutdowns? This action could
regulations affecting securities trading complied lead to public outrage if the perception is that
with (e.g., trading bans and blackout periods)? Do the executive’s income is more important than
compensation or benefits that are paid as shares, the employees’ incomes. Other examples include
rights, warrants, or options (related to company significant payments to executives who are termi-
stock) require strong controls to ensure valuation, nated for failure to perform (golden parachutes)
accounting, disclosure, and taxation are handled or to encourage an executive to “go quietly.”
appropriately? 8. Employment contracts, including termination and
• Do payments made to the organization by execu- loan agreements.
tives indicate undocumented loans or reimburse-
ment for personal use of the organization’s credit • Are employee loans legal? If so, are there any
card? regulatory restrictions that apply to loans?
5. Audit results and action plans. • Are the loans given at market interest rates, or
below? Are repayment terms reasonable, and are
• By regulators, such as government tax authorities they being met? Is there collateral/security for the
or securities exchanges. loan? Check for loan write-offs or loan forgive-
• By customers, who may have the contractual right ness.
to audit direct costs or rates charged. • Are key executives entitled to any of their em-
• By external auditors for compliance with account- ployer’s products or services free of charge or
ing standards, disclosure requirements, and ethics at a discounted rate? If so, is this appropriately
or risk management issues. recorded and approved?
• Does management’s strategy appear to be “We’ll 9. Turnover statistics, exit interviews.

do it this way until we get caught”? Are internal • Do results indicate ongoing or pending issues?
control weaknesses addressed timely and appro- The auditor may expand the audit program based
priately? on these results.
6. Market surveys, employee satisfaction surveys, and • Have these results been reviewed with the board
benchmarks. and executive management?
• Do results indicate ongoing or pending issues? 10. The administrative cost center charges for execu-
Have they been reviewed with the board and tives/administrative assistants.
executive management?
• Are there charges paid directly to vendors where
7. Public perception. the executive benefits? These could include
• Does the company receive recognition, such as charges for clubs, travel, gifts, and entertainment.
“Top 10 Companies to Work For,” “CEO of the If so, have the charges been approved and report-
ed/classified appropriately?
11. Facilities and equipment. department than the general employee benefit
payment system handles the executive payment/
• Can use of the organization’s assets by the execu-
reimbursement process (e.g., one reimbursement
tive and his or her family provide useful informa-
processed through payroll and another through ac-
tion to evaluate potential ECB (e.g., by checking
counts payable). Take for example reimbursement
logs and manifests)? Assets to consider include
of employees at a specific rate for each mile/kilo-
company vehicles (e.g., planes, trains, automo-
meter driven (to cover operating and capital costs)
biles, trucks, boats, snowmobiles, and jet skis),
when the executive is also provided with a vehicle
housing (e.g., homes, apartments, resorts, cabins,
or vehicle allowance.
trailers, hotels, and camps), dining and entertain-
ment facilities (e.g., cafeteria, catering contracts, 15. Employment taxes.
restaurants, meeting rooms, theatres, and audito-
• Are benefits handled via accounts payable or simi-
riums), and computers and telecommunications
lar, non-payroll functions?
(e.g., laptops, blackberry devices, phones, printers,
photocopiers, cameras, and software). • Are specified benefits taxable in one jurisdiction
(country, state, or province, etc.), but not taxable
• Are some of the assets located in personal resi-
in another? If so, is the organization treating the
dences?
benefits appropriately on tax returns and financial
12. Financial reporting. statements?
• Are accounting and financial reporting correct? For 16. Metrics Used for Calculation of Compensation.
example, are costs in the right accounts, cut-offs
• Are compensation amounts based, at least in part,
appropriate, accruals, estimates and valuations
on specified metrics? If so, are metrics easily verifi-
appropriately applied to transactions, commit-
able (e.g., based on public external data such as
ments, and agreements? Are significant variances
stock price or revenue growth) or dependent on
explained?
internal data which is not as easily verified?
13. Public and Regulatory filings (ECB related, such as
17. Override of ECB controls.
disclosures and taxes).
• Is it possible for management to override con-
• Are they complete, accurate, and timely?
trols in ECB, including IT controls? For example,
• Are descriptions of ECB elements clear and un- executives could apply pressure on clerical staff or
derstandable, providing the right level of transpar- their administrative assistants.
ency?
• Are ECB amounts accurately presented, derived
External Business Relationships9
from processes with sufficient internal controls?
Many organizations outsource compensation and ben-
14. Double dipping. efit services as well as payroll and accounting services. If
vendor audits have been scoped into the audit plan, some
• Is it possible for an executive to be reimbursed
of the previous review considerations may need to be
twice for some expense? The risk of double
performed.
dipping is greater when a different system or
For more information, refer to the IIA Practice Guide “Auditing External Business Relationships.”
9
Reputation risk is often based on association with, deemed vendor’s customer.

influence over, or deemed agreement with ECB policies of External organizations may restrict access to certain pro-
business partners. For example, an executive may receive cesses or information. Internal auditing may need to use
remuneration as an officer of a related organization. If joint an independent third party to perform all or part of the
venture or partnership arrangements are included in the audit and provide assurance.
scope, consider designing your audit program with the fol-
lowing considerations.
Within your organization:
• Do contracts include a “right to audit clause” and

requirements for confidentiality? Have they been ap-
proved appropriately?
• What are the criteria for selecting vendors and were
they followed? How is vendor performance measured
and reported?
• What proportion of the vendor fees are related to
serving executives versus other employees?
• How are vendor controls monitored by the contract
or program manager?
Within the service provider’s organization:
• Are there adequate IT controls to protect the organi-

zation’s information? Attestation standards from pub-
lic or regulatory audit standard setters are a source of
information.
• Are distributions to executives accurate and com-
plete? Are they compliant with policy? How are
changes authorized?
• Is there evidence of the organization’s entertainment
of executives (vendor expense accounts and promo-
tional activities such as golf tournaments, fishing
or resort trips, and gifts)? Is it consistent with both
organizations’ policies?
• Is there evidence of possible conflict of interest with
the vendor’s customer list? For example, a board
member works for an organization that is also the
Appendix A – performance. Awards may be paid as a fixed amount or a

percentage of salary, and may be paid in currency, shares,
Types of Executive gift cards, property, or services (e.g., vacations, cars,

jewelry, and spa treatments).
Compensation and Benefits Bonus: Remuneration paid for achieving a specific goal.
There are many compensation and benefit types, but those Bonuses may be structured for short- or long-term perfor-
discussed herein are generally unique to executives, or mance of the organization, department, or individual. Bo-
where executives receive enhanced programs and payouts nuses are generally paid once, then must be earned again.
compared with other employees. Bonuses may be paid as a fixed amount or a percentage of
salary, and may be paid in currency, shares, stock options,
To determine which ECB programs to include in the scope property, or services (e.g., vacations, cars, jewelry, and spa
of an audit, auditors should consider the unique aspects of treatments). Bonuses based on organization goals may be
the ECBs of the organization, employment contracts, regu- referred to as profit sharing, gain-sharing, “tantieme”, or in-
lated compensation, and complexity of the organization. centive plans. Gain sharing is a program that returns cost
savings to the employees, usually as a lump-sum bonus.
Family members also may obtain benefits that are attribut- It is a productivity measure, as opposed to profit sharing,
able to the executive. Some benefits are considered tax- which is a profitability measure.
able income for the recipient and some are not deductible
by the organization for tax purposes (varies based on legal Commission: Pre-established remuneration paid for
jurisdiction). Some compensation and benefits are legally achieving specific sales (per piece, volume, or value based)
mandated, while others are discretionary (varies based on or a marketing service goal (e.g., referrals to new customers
legal jurisdiction), and some forms of benefits may be con- or entry into new markets).
sidered illegal in some jurisdictions.
Pension: A fixed or variable rate of remuneration paid
If the organization offers any ECB programs to contractors, periodically to a former, qualified employee (or his or her
the internal auditor should consider the potential legal and beneficiary) who has reached a specific retirement age or
ethical impacts. is deceased. Pension plans are often defined benefit plans
or defined contribution plans and are highly regulated in
Compensation many countries. Employees may receive pension payments
Allowance: Fixed payments paid periodically to reason- from both their employers and from governments. Pen-
ably approximate the employee’s costs for a particular type sion plans may be combined with insurance schemes in
of expense (e.g., car, housing, and clothing allowances). superannuation plans or provident funds for the welfare
Once received, employees may use the money as they of the employee. Executives generally have enhanced pen-
choose. sion plans that exceed the standard for other employees. A
company may offer various types of retirement plans (e.g.,
Awards:10 Similar to a bonus, but most often used to re- qualified for preferential tax treatment or non deferred
ward individual goal achievement (e.g., safety milestones benefit plans) and all should be reviewed for benefits due
or years of service) or for unexpected or extraordinary an executive.
In Australia, an award is a pay scale related to an industrial agreement (union led); however, in many international organizations, an award is as described in this appendix.
10
Perquisites: Benefits (often called fringe benefits) offered Financial and Retirement Planning: An allowance or
at the employer’s discretion, rather than benefits required service that assists the employee in creating and managing
by law. Examples of perquisites include company cars or a personal financial plan and budget. Accounting and tax
car allowances, parking, airline lounge memberships, and preparation services, as well as advising on investment and
use of corporate jets. Perqs (colloquial term) are often se- tax strategies, also may be included.
niority based and may also include the “right of first refusal”
for event tickets, job openings, conference attendance, etc. Gifts: Gifts can include currency (e.g., cash or gift cards
for retail outlets), shares, property, or services (e.g., vaca-
Severance: Remuneration made to an employee upon tions, cars, jewelry, and spa treatments) given to employ-
termination from the organization. Severance can take the ees. When business property that is regularly used by the
form of a lump sum payment or may be paid out over a employee is given to the employee upon termination, this
specified period. Severance may be paid as a fixed value or is considered a gift (e.g. office furniture, phone, computer,
a percentage of salary, and may be paid in currency, shares, and tools).
property, or services (e.g., health-care benefits, outplace-
ment services, cars, jewelry, club memberships, and access Health Examination Allowance: An allowance typically
to employee discounts). Severance is generally determined up to a certain value for a periodic health examination.
by laws and company policy, which is influenced by case
law (from court rulings on cases of challenges to sever- Insurance: Payment for all, or a portion of, premiums for
ance pay). Executive severance that has been pre-agreed life and disability insurance, medical and dental care, un-
in an employment contract is often referred to as a golden employment insurance, home and car insurance, etc. The
handshake or a golden parachute. Severance may also be organization may also choose to self-insure and pay directly
referred to as a gratuity payment. Executives generally re- for any of these types of losses, or they may reimburse em-
ceive enhanced severance programs compared with other ployees for all or a portion of insurance coverage or deduct-
employees. ibles.
Benefits Loans: No- or low-interest loans to employees for reloca-

Athletic or Cultural Facility Seats: The purchase of tion, purchase of company shares, purchase of home com-
seats or facilities (boxes) in sports arenas or performing arts puters, etc.
centers with the intent to use the tickets for entertaining
customers and as employee rewards. Personal use of the Outplacement: Services provided to assist terminated
tickets by executives, directors, and employees is consid- employees in preparing for and finding employment else-
ered a benefit. where.
Athletic, Cultural, Dining, and Travel Club Mem- Personal Use: Free, personal use of company facilities or
berships: Reimbursing or paying directly for employee equipment, such as housing, dining rooms, hotels, resorts,
(and/or family) memberships in health clubs (e.g., gyms, computer and communication technology, recreational ve-
spas, pools), sports clubs (e.g., golf or tennis), entertain- hicles (e.g., snowmobiles, jet skis, yachts), theaters, and
ment clubs (e.g., gambling, dining and dancing), and air- cameras. Free personal use of the organization’s services
line lounges as benefits. is also a benefit, including beauty treatments, professional
services, facility and equipment maintenance, decorating,
delivery, and use of staff to help with a personal activity.
Relocation: Covers the costs associated with transferring • Public transit passes or tickets.
an employee to a new location. Benefits are often derived • Transportation from home to work (e.g., by bus).
from the types of costs covered by the relocation program.
• Use of the company airplane, train, or boat.
For example, allowances may be paid for miscellaneous
costs, loans to purchase houses, signing bonuses, remote • Purchase of airline tickets or vacation packages.
location allowances, storage of personal effects that re- • Frequent flyer points from trips taken for business
main behind, tax and financial planning services, pass- purposes, if the employee is able to use the points for
ports, language training, guarantees of spousal income or personal travel.
spousal placement services, guaranteed paid trips to alter-
Taxes: When the organization pays the employment/in-
nate locations (e.g., family visits), tuition fees and school
come taxes on behalf of the employee, by paying the gov-
searches for children, maintenance of recreation property,
ernment directly, by reimbursing the employee, or by in-
and paid leave for moving.
creasing bonus payments to cover the estimated cost of
taxes.
Savings and Investment: Programs that facilitate and
administer employee savings. Many organizations choose
to contribute to such investments.
Security Services: Usually provided as a result of threat

assessments and risk management programs, but they also
may have a personal benefit associated with them. Ex-
amples of security services include personal bodyguards,
alarm systems or patrols in the homes of executives, home
safes or panic rooms, and self-defense training. Security
Services may also be known as Executive Protection Pro-
grams.
Transportation: Transportation available to employ-

ees, and/or their families, for personal use (i.e., no busi-
ness purpose can be rationalized, or the transportation is
deemed as personal by regulations). Benefits take many
forms, including:
• Allowances.
• A vehicle — where the organization purchases or
leases a car, truck, etc. A process for reimbursement
of operating expenses often accompanies this benefit.
• A vehicle and chauffer.
• Parking.
• Airline lounge memberships.
Authors:
• Lynn C. Morley, CIA

• Abraham D. Akresh
• Douglas J. Anderson, CIA
• David F. Bentley
• Steven E. Jameson, CIA, CCSA, CFSA
• Norman D. Marks
• James A. Rose, III, CIA
Practice Guides embody an IIA statement to as-
sist a wide range of interested parties, including Copyright
those not in the internal audit profession, in un- The copyright of this practice guide is held by The
derstanding significant governance, risk, or con- IIA. For permission to reproduce, please contact
trol issues and in delineating the related roles and The IIA at guidance@theiia.org.
responsibilities of internal auditors on a signifi-
cant issue. Practice Guides are part of The IIA’s
International Professional Practices Framework.
As part of the Strongly Recommended category
it is strongly recommended and the guidance is
endorsed by The IIA through formal review and
approval process. For other authoritative guid-
ance materials provided by The IIA please visit
our Web site, www.theiia.org/guidance.

247 Maitland Ave. F: +1-407-937-1101
Auditing External
Business Relationships
MAY 2009
Table of Contents
Introduction..................................................................................................................1
Executive Summary......................................................................................................1
Overview of External Business Relationships (EBRs)...................................................2
Examples of EBRs.........................................................................................................2
Benefits of EBRs...........................................................................................................3
Business Risks of EBRs................................................................................................6
Auditing EBRs.............................................................................................................12
Understand the Organization and Its Relationships.............................................13
Assess Risks and Controls...................................................................................13
Perform Audit Procedures....................................................................................14
Report..................................................................................................................14
Monitor Progress.................................................................................................15
www.theiia.org/guidance / A
Introduction entering into a business relationship does allow an orga-

nization to create benefits and share some risk with the
This guide provides internal auditors with guidance in au- EBR, the organization still retains ultimate responsibility
diting external or extended business relationships (EBRs). and accountability over a number of risks. Not all risks
Management also may use this guide in managing and can be relegated to the business partner. The organization
monitoring the risks associated with these relationships. needs to monitor and manage these risks.
Executive Summary The organization is responsible for risk management ac-

tivities encompassing tasks such as selection of business
partners, contract effectiveness, partner/customer con-
When contemplating the role of the internal audit activity
tract management controls, contract compliance monitor-
in external business relationships, consider the following:
ing and reporting, and business relationship management.
1. Organizations have multiple EBRs that satisfy a variety Without proper controls in place to address the risks as-
of business needs; sociated with these responsibilities, the organization may
2. Each relationship presents risks; lose revenue or incur higher costs, as well as have ineffi-
3. It is management’s responsibility to manage these risks cient operations, misreporting, and even damaged brand,
and achieve the benefits; in addition to impacted business relationships.
4. Internal auditing plays a key role in assisting manage- By taking ownership and control of these responsibili-
ment and validating management’s efforts. ties, organizations have the ability to reduce risk and help
Organizations conduct business with EBR partners for a foster a relationship of trust and accountability with its
variety of reasons. Organizations may seek benefits like business partners. With good oversight of its business re-
enhancing revenues through licensing and distribution ar- lationships, an organization can account for all revenues
rangements, reducing costs in areas of an organization’s and potentially reduce costs the organization can receive
that are outside of its core competencies, or augment- the full benefits of the business relationship.
ing existing resources focused on its core competencies.
However, with these business relationships also comes Internal auditors need to understand all of the elements
inherent and control risks associated with working with associated with EBRs, from initiating a relationship, con-
external business partners. By associating with exter- tracting and defining a relationship, procurement, manag-
nal partners, an organization often bears risks similar to ing and monitoring the continued relationship (including
those it would experience internally, without the external control environment considerations of objectivity and in-
association (for example, an organization still bears risks dependence of those responsible for managing and moni-
for outsourced processes). In addition, the organization toring), and finally discontinuing the relationship. After
is exposed to risks imposed by association with the third understanding the expectations of both parties, along with
party, as well as the activities of the third party, including the appropriate processes to manage and monitor the re-
reputation, brand, and economic risks. Internal auditors lationship, the internal auditor develops an appropriate
can help management and the board identify, assess, and audit program with relevant audit objectives for audits of
manage these risks. external relationships. In addition, internal audit proce-
dures may include elements of evaluating adherence to
Organizations’ managements are responsible for manag- (and compliance with) contractual terms to determine
ing and monitoring their EBRs and related risks. While whether monetary and non-monetary obligations are met.
It is important for organizations to know that they are Organizations often use business relationships and varied
getting what they are paying for, that they are collecting partnerships to accomplish their objectives. To support
what they are earning, or, simply, that they are receiving and sustain growth, businesses are increasingly supported
the benefits anticipated from the relationship. Such audit through outsourcing and licensing. More than ever, prod-
procedures may uncover missed revenue or cost savings, ucts and services are now developed through strategic al-
improve reporting accuracy, and enhance value resulting liances and joint development arrangements. Businesses
from the relationship through one or more of the follow- have chosen to leverage these business relationships for
ing: limiting fraudulent activity, increasing trust within the reasons ranging from cost savings, a more economical
relationship, fostering feedback, improving relationships, or efficient labor force, increasing customer reach and
and helping management improve internal and external scalability, or enhancing access to new technologies or
controls. a known brand. This business model, where businesses
are interdependent, and where “external” and “extended”
Overview of External Business business relationships exist, is also known as the extended
enterprise.
Relationships (EBRs)
As used in this guide, EBRs do not include business rela-
“External business partners,” “extended relationships,” tionships where the organization only furnishes informa-
and “contractual relationships” are among the numerous tion to other organizations and relationships are not nec-
names by which today’s organizations define their extend- essarily created as a matter of choice; examples include
ed business relationships. Throughout this practice guide rating agencies, financial analysts, and tax authorities.
we will simply refer to these relationships as EBRs and
the other entity as the EBR partner.
Examples of EBRs
Relationship Type Service Examples
Service Provider • Processing (e.g., benefits, payroll)
• Accounting/computer service centers
• Information technology
• Shared service centers
• Internal audit co-sourcing or outsourcing
• Warranty processing
• Call centers
• Advertising/marketing
• Leasing
• Construction
Examples of EBRs continued
Supply-side Partners • Production outsourcing or assistance

• Research & development
• Suppliers/vendors
• Software development
Demand-side Partners • Distributor/reseller

• Franchisee
• Licensee
• Replicator
• Original equipment manufacturer (OEM)
Strategic Alliances, Consortia, and • Cost sharing relationships (e.g., pharmaceutical development, production and
Joint Ventures distribution of oil and gas products, and media production and distribution)
• Revenue sharing relationships (e.g., pharmaceutical development and media
production and distribution)
• Profit sharing (e.g., real estate, pharmaceutical, media)
• Combination of the above
Intellectual Property (IP) Partners • IP licensees

• Internal IP usage (e.g., software)
• Bandwidth (e.g., telecom)
• Subscribers
Benefits of EBRs
Organizations choose to do business with EBR partners EBRs include cost savings and leveraging a competence
for a variety of reasons. There is value that an EBR partner of the EBR partner that is not a core competence of the
brings a value that an organization, by itself, cannot effi- organization; but the benefits of using an EBR do not end
ciently or effectively create for its customers and potential there. See the table below for some of the benefits of us-
customers. Some of the more common reasons for using ing an EBR partner.
Benefit description of benefit

Cost Reduction • Access to EBR partner’s lower cost structure
• Lower labor cost
• Reduce operational inefficiencies
Benefits of EBRs continued
Organization focus on core capabilities • Allow the organization to focus on primary business and core competencies
and offerings • Better use of in-house resources
• EBR partner’s comparative advantage in providing service
Improved quality of service or product • Utilize expertise of EBR partner

• Combined and collaborative knowledge brings together strengths of
each organization
• Reduction in operational inefficiencies and errors
Access to new markets • Increased opportunities to reach new markets

• Leverage relationships through EBR partners
• Economies of scale and size
• EBR partner’s knowledge of local culture and language
Timely completion of projects • Timely, agile, and flexible resource pool, including personnel
• Larger and deeper knowledge pool to develop and implement more efficient and
productive action plans
Resource augmentation • Larger and more flexible personnel resource pool

• Access to a new resource pool of knowledge
• Access to better technologies and skills
Sharing of risk and risk management • Sharing of investment risk

• Increased agility to allow an organization to change and react to risks
more quickly
Organizations may reduce costs through EBRs. For ex- use of EBRs, organizations do not spend their resources
ample, costs may be reduced through leveraging an EBR on areas where they do not have expertise. By spending
partner’s lower cost structure which could exist through resources on non-core competencies, organizations may
a greater economy of scale or location in a country with lose their competitive advantages and valuable internal
lower labor costs. Organizations that choose to proceed resources such as employees are required to support a
without using EBR partners are responsible for all costs, ctivities that tend to be more costly and less profitable.
including research, marketing, development, and employ- Meanwhile, resources pulled from an organization’s
ee costs. Cost reduction is a common reason organizations core business could cause a reduction in the success of
choose to work with EBR partners. its core business. EBR partners can solve this problem
by addressing those areas outside of the core business,
Another key benefit gained through EBRs is enablement; and internal resources can better leverage their skills by
an organization can leverage the capabilities of others and focusing on the core business.
may focus on its own core competencies. Through the
EBR partners also have the ability to help the organization In general, an EBR partner can augment and improve the
deliver improved services or create an improved product. overall resource pool with experienced, knowledgeable
An EBR may bring specialized skills or knowledge that an skilled personnel on a greater scale. This resource pool
organization does not have. This knowledge and skill can can augment areas of weakness for which an organization
greatly enhance the organization’s service or product by may have neither the resources nor inclination to address.
bringing innovation, learned efficiencies, and many EBR partners can also provide resources other than per-
sonnel, such as technology, to benefit an organization.
other attributes the organization may not have. In addi- Access to specialized technology can provide the organi-
tion, this collective knowledge and knowledge sharing zation with benefits such as automating existing manual
may lead to greater innovation and better products and processes, thus improving operating efficiency, produc-
services as skills are used collaboratively. tion and service quality, or increasing the scalability of an
organization’s output or reducing errors. Using an EBR
EBRs may bring access to new markets. An EBR partner can help the organization improve its internal controls, for
may have a presence in an existing market where an or- example when the EBR partner has stronger controls than
ganization is trying to enter. By working with that EBR the organization.
partner, the organization increases and enhances its abil-
ity to penetrate and grow within that new marketplace. Lastly, through EBRs, an organization can benefit through
The EBR partner may be able to share its relationships; the sharing of risk and risk management. An organization
it may have a known brand the organization can leverage can share its investment risk with an EBR partner in a
in the new marketplace, it may have capabilities to lever- new venture through capital investment, resource invest-
age the organization’s intellectual property, or it may have ment, and time investment. This may be the most com-
regulatory, cultural, or other relevant knowledge of a new mon way in which organizations share risk. By sharing its
marketplace the organization does not have. An EBR part- capital, resources, and time investments in a project or
ner may also increase an organization’s ability to penetrate venture, an organization reduces its risk of “putting all of
and grow within a market through increased economies its eggs in one basket.” The impact to an organization is
of scale and size by providing resources to help match the reduced if business partners share in these investments,
accelerated growth within a new market. allowing the organization to make other investments and
diversify its portfolio. Risk can also be reduced and risk
Projects may be completed more timely with the help of management improved through EBRs. The comparative
EBRs. One of the benefits EBRs can provide is a larger, advantages that an EBR partner brings may be in areas
more flexible resource pool. They can quickly provide an that address the biggest risk an organization faces, thus
organization with skilled, specialized resources, which reducing the overall risk of a project or venture. Benefits
can help with the timely completion of projects that the can include an increased ability to react to risks and make
organization may not have the resources to complete. In the appropriate changes with the EBR partner’s resourc-
addition, EBR partners may have more experience in the es, knowledge, and skills available. Because an EBR may
area the organization is seeking help with, which can im- provide these benefits, internal auditors need to consider
prove the likelihood for timelier completion of tasks and EBRs in making recommendations to improve operations
projects. The organization will not need to struggle on its and controls.
own as it learns on the job. Ramp-up time will be reduced
through the benefit of known successes and operational
efficiencies from the EBR partner.
Business Risks of EBRs

Even though EBRs are designed to achieve benefits, there with EBRs. The table below briefly touches upon a few
are significant overall and detailed risks. The following CSR concepts, but a broader discussion can be found in
table lists a few examples of general business objectives other IIA publications and information.
and goals, associated risks, as well as potential control
activities to mitigate those risks. Risks and controls as- To achieve the benefits of EBRs and mitigate the associ-
sociated with a sound procurement and contract manage- ated risks, the organization needs to develop appropriate
ment process are not addressed in the table below; rather, procedures and controls. These are addressed in the chart
they are addressed in various IIA publications and training below and include the need to comply with EBR agree-
courses. Further, many aspects of Corporate Social Re- ments and to proactively manage the relationship to en-
sponsibility (CSR) are relevant when conducting business hance value and minimize risk.
Potential Risks that May Possible Organizational

Goal / Objective Prevent Achievement of Goals Activities to Mitigate Risks
Note: In each example below, conducting audits of EBR
and Objectives compliance is generally appropriate.
1. Identify and assess all EBRs EBRs are not identified. Designated employees document all EBRs and
Additional risks: keep the documentation current.
• Relationships not identified cannot be as- Supervisors review the documentation for ap-
sessed nor monitored appropriately. propriateness.
• Relationships not identified may not have Identify risks inherent in each relationship and
contracts in compliance with organization’s assess residual risks, after considering controls.
contract policy and guidelines or organiza-
tion’s EBR policy and guidelines.
2. Maintain positive reputation EBR’s actions negatively impact organization’s Legal department reviews contract to determine
reputation. whether it includes ethical standards, compli-
Additional risks: ance with laws/regulation clauses, compliance
requirements with specific organization values,
• EBR misrepresents organization values.
and a well-documented right to audit (more than
• EBR does not comply with contractual ‘books and records’, it relates to the broader
obligations. relationship risks).
• EBR violates laws and government regulations When the relationship is initiated, appropri-
ate due diligence is performed to determine if
the EBR is likely to misrepresent organization
values.
Business Risks of EBRs continued
3. Minimize insurable risks EBR partner does not maintain adequate/ Management review of adequacy and effective-
(e.g., professional indemnity) effective insurance coverage, including for the ness of EBR partner’s insurance coverage, before
following: signing of contract and during the life of the
• Workers’ Compensation (e.g., for time lost due contract. Management may review:
to injury) • How the level of insurance was determined,
• Professional Indemnity and whether or not it is adequate.
• Public Liability • Whether insurance needs to be increased
during the term of the relationship (e.g., the
• Motor Vehicle Insurance effect of inflation; previous claims record of
Additional risks: provider).
Other risks arise where consortia are formed • Whether EBR partners provide third party
to provide a service or where the organization proof, such as a certificate from the insurance
providing the service is a subsidiary of a larger company.
organization (especially where the parent is not • Contract clauses that require provider
based in the same country): furnishing updated insurance certificates dur-
ing long term contracts (where the contract
• Insurance recommended for the particular
extends beyond the expiry date of the initial
contract might not cover all of the consortia
insurance certificate).
members for that particular contract.
• Effectiveness (including solvency) of
• In the case of a subsidiary, the insurance rec-
insurance provider.
ommended for the particular contract might
not apply to the subsidiary and/or the country Management’s review may include engaging an
in which the work is to take place. insurance specialist, review of case histories
• The parent company takes actions that void for similar circumstances, direct inquiry of the
the insurance coverage of the subsidiary. insurance company, and review of insurance
• Solvency of the underwriter and reinsurers. coverage of the consortia or subsidiary.
4. Clear understanding of Service levels are inadequate or unsatisfactory. Management and legal review of contract for the
service levels between the Disputes or disagreements regarding the scope following:
organization and its EBR of services between the organization and its • Are the contract and/or supporting documen-
EBR. tation clearly documented?
Additional risks: • Have key stakeholders in the relationship
approved the document?
• The scope of the EBR’s deliverables are not
adequately defined in contract documentation, • Does the contract include an adequate right
a memorandum of understanding, a service to audit clause (not just limited to financial
level agreement, or some other similar docu- books and records) and an agreed-upon
mentation detailing the terms of reference. disputes resolution process?
• Differences in understanding or interpretation • Has responsibility for managing the contract
of the service requirements. been assigned?
Initially, this may be documented in a request for • Does the contract include clear duty to report
key parameters on a regular and timely basis?
tenders/quotes, where an organization requests
potential EBR partners to provide the best value • Does the EBR partner have adequate skills
for money solution. and experience?
• Are invoices received from the EBR partner
Products to be delivered or constructed may be
adequately documented to enable identifica-
defined in a scope of work document that defines
tion of “out of scope” requests?
quality requirements, regulations or standards to
be complied with. • Are approvals for work to be performed and
payments to be made at an appropriate level
Whatever the form of service or product to be de- of authority?
livered, the guiding principle is that the service
• Are processes adequate to measure and
or product to be delivered is adequately defined, validate expected levels of service?
understood and agreed upon by all parties.
• Is information provided by the EBR partner
validated for accuracy, relevance and
timeliness?
5. EBR is able to provide EBR identifies conflicts of interest in providing • Requiring the EBR partner to declare any
services without conflicts of services. actual, potential, or perceived conflicts of
interest interest prior to accepting appointment.
Additional risks:
• Requiring the EBR partner to declare any
Conflicts of interest may be actual, potential, or actual, potential, or perceived conflicts of
perceived. A conflict of interest may not neces- interest as and when they may arise through-
sarily preclude an EBR from providing a service; out the contract.
however, adequate controls are needed to miti- • Management review of declarations of interest
gate the risks. Examples of how these may arise for impact and to decide whether this is a
in an EBR include: contract violation and what action to take
• Quality or timeliness of work may be ad-
versely affected due to other contracts in place.
• Information obtained during the contract
may adversely influence decision making due to
other contracts in place.
6. The organization receives Intellectual property (IP) licensed to others could Management and legal review to determine
appropriate remuneration for be receiving inappropriate royalty streams. whether contract includes clauses that ideas,
intellectual property (IP). Theft or misuse of ideas or technology. technology, and/or intellectual property (IP) sup-
plied by the organization are receiving appropri-
The EBR appropriately Additional risks: ate royalty streams and remain the organiza-
secures the organization’s • Revenue leakage tion’s property.
intellectual property (IP) • Breach of confidential information The contract is clear as to measurement and
• Inappropriate usage of intellectual property validation of royalty streams and who owns the
• Risks associated with differing jurisdictions, IP generated as a result of the contract and what
legal practices, legal inefficiency, or even the provider can and cannot do with such IP.
legal corruption. To reduce the risk in countries with less than
adequate legal protection, the contract with the
EBR partner is written so that the EBR partner
shares in the loss of poor control over IP.
7. Accurate fees for Overcharges for inefficiencies or services not • Require the EBR partner to maintain effective
EBR services performed. controls over its time recording system and
any other system(s) that affect the amount
Overcharges because of clerical billing errors. charged.
Additional risks: • Project management plans identify the
• Services performed do not agree with contrac- achievement of milestones and quality assur-
tual obligations. ance over the services provided.
• Require the EBR partner to maintain effective
controls over billing.
• Project director/manager review whether
outputs of the contract meet all requirements
and approve all charges for services prior to
payment.
8. Risk of EBR going out of EBR goes out of business and is unable to fulfill Prior to appointment, management performs
business is consistent with contractual obligations. due diligence of the EBR partner’s business to
organization’s expectations Additional risks: provide reasonable assurance that it will remain
viable throughout the contract period. The due
• Solvency of guarantors or insurers could also
diligence may include review of such areas as:
pose risks.
• What will be the impact of the contract on the
EBR partner’s business?
• Does the EBR partner over rely on certain key
contracts?
• Do key financial indicators appear reason-
able?
• Has data provided been audited?
• Does the organization have contingency plans
in place to cover cancellation or the EBR
partner’s inability to fulfill the contract?
For longer-term contracts, management updates
this review at least annually.
9. Information shared with EBR Loss of confidential information. • Require the EBR partner to maintain appro-
is properly secured and in priate physical and logical security controls
Additional risks:
compliance with appropriate in place to restrict access to appropriate
• Reputational risk individuals.
privacy rules
• Legal risk associated with loss of personally • Require the EBR partner to review access to
identifiable information (PII). information on a periodic basis for appropri-
ateness.
• Require the EBR partner to comply with data
privacy and other laws and regulations.
• Management evaluates the EBR partner’s
Statement on Auditing Standards (SAS) 70
or International Standard on Auditing (ISA)
402 report.
Some of the risks may be fraud risks, such as where the

EBR partner fraudulently misappropriates the organiza-
tion’s assets.
Lastly, and while not the focus of this guide, the internal
auditor should consider whether the organization has ap-
propriately complied with obligations and commitments it
assumes when contracting with others, i.e., mitigating the
risk that the organization itself does not comply with con-
tractual requirements.
Auditing EBRs The CAE needs to decide whether to audit each EBR as
a separate audit, audit certain types of relationships, or
Similar to other internal audits, the International Stan- audit the EBR process in totality. This last approach may
dards for the Professional Practice of Internal Auditing allow the internal auditor to provide overall assurance on
apply when auditing EBRs. For example, the chief audit the EBR process. The remainder of this practice guide fo-
executive (CAE) includes internal audits of EBRs in the cuses on auditing the EBR. The broader context, includ-
audit universe, determines which audits to perform each ing contract management, business partner selection, and
year, and staffs each audit with a competent independent others, are beyond the scope of this practice guide.
internal audit team. The internal auditor may combine the
audit of EBRs with other audits either of operational, com- The following chart illustrates the cycle in performing in-
pliance with laws and regulations, or financial statements. dividual EBR audits.
Understand the
Organization and
Its relationships
Monitor Progress Assess Risks

and Controls
Report Perform Audit
The following are the essential steps like most internal –– Provide feedback to EBRs?
audits, the process is usually iterative and need not follow –– Monitor its own compliance with the agreement?
the order below:
–– Determine whether objectives were achieved?
Understand the Organization and –– Learn from the EBR partner?
Its Relationships –– Terminate the relationship?
• Understand the organization – The organization may –– Continue the relationship?
have a variety of reasons for maintaining EBRs, as pre-
• Understand the general nature of each EBR – What are
viously discussed. Each relationship presents its own
your organization’s objectives? What type of service is
set of risks and benefits. EBRs may be entered into and
rendered? Who controls and monitors the relations with
managed by one department or many, and may repre-
the EBR partner? Is there a written agreement, includ-
sent a broad range of importance to an organization.
ing appropriate expectations and protections? What
Understanding the organization’s structure, business
are the key provisions? What level of approval did it re-
model, strategic goals, and enterprise risks will enable
ceive? How important is the EBR to the organization’s
an internal auditor to better understand the risks of
business model? Is there an audit clause in the contract
non-compliance by an EBR partner.
with the EBR partner? What does the organization do to
• Understand the environment – Determine whether the enhance the relationship?
organization’s EBRs have been identified; if not, request
Assess Risks and Controls
management to identify them. If the EBRs have been
sufficiently identified, obtain information about the • Understand the inherent risks – Determine poten-
nature of each relationship, including contact informa- tial impacts in the absence of any controls of inherent
tion for the EBR partner, what they provide, amounts risks that the organization has assessed, along with
involved, contract details, and other factors. those that the internal auditor has identified and as-
sessed. See “Business Risks of EBRs” for examples of
• Understand your organization’s processes – How does
overall inherent risks and details.
the organization:
• Understand the design of controls your organiza-
–– Determine the need for an EBR?
tion has put in place to mitigate risks – Evaluate
–– Determine and document the objectives and goals the control risk on a preliminary basis.
for the EBR?
• Determine the key controls – Key controls, which
–– Identify, assess, and document risks for the EBR? if not effective would mean the risks are not mitigated.
–– Control the identified risks? See table above for some typical controls.`
–– Perform due diligence (including obtaining • Understand the EBR partner’s environment, pro-
background and checking references) on the EBR cesses, and controls – How will goods or services be
partner? provided and how will the EBR partner’s processes and
controls mitigate the organization’s risks? This will pro-
–– Approve entering into the agreement?
vide further background and help in the internal audi-
–– Approve the wording of the agreement? tor’s risk assessment.
–– Manage the relationship? • Determine which EBRs to audit further, which pro-
–– Monitor the EBR partner’s performance? cesses to audit, and the audit objectives – The audit
could be an operational audit (for example, did your or- –– Type B – Report on the Design, Description and
ganization achieve its objectives at a reasonable cost?), Operating Effectiveness of Controls at a Service
a compliance audit (is the EBR complying with laws organization. Type A reports are used to understand
and regulations, such as employee safety, child labor, the service organization’s processes and the design of
product quality, or contractual obligations?), a financial controls. The internal auditor uses Type B reports to
audit (are controls over financial reporting effective and determine whether controls at the service organiza-
in compliance with regulatory guidelines such as Sar- tion are operating effectively. For further guidance,
banes-Oxley and is information fairly stated?), or some see ISA 402.
combination of these audits. The organization’s internal auditor may use the work of
• Determine whether the EBR partner’s internal audi- other auditors in auditing EBRs. For example, the inter-
tor has performed work relating to the contract – Con- nal auditor may work with the internal auditor of an EBR
siderations include the objective, scope, and results partner to obtain needed information or to perform neces-
of their work. Does the substance of the work support sary tests. Before making a decision to rely on the work of
your objectives; and how or whether you will use their another auditor, the internal auditor determines whether
work? the auditor performing the work is competent and objec-
tive. Further, the nature, objectives, and scope of the work
Perform Audit Procedures to be relied upon are evaluated to determine if it supports
• Determine whether to perform on-site work at the organization’s internal audit objectives.
the EBR – Based on the audit objectives, determine
if procedures need to be performed at the EBR (Note: • Evaluate test results.
some EBRs may not allow access by a business partner’s • Identify findings and, as appropriate, reach con-
internal audit activity unless the contract provides ac- clusions – In doing so, consider whether findings ap-
cess). If appropriate, design and perform tests to deter- ply beyond the individual EBR to other EBRs or to the
mine whether the key controls are operating effectively organization’s entire EBR process. Taken individually,
and/or to validate substantive matters. the results of EBR audits may identify deficiencies at
The auditor may obtain the EBR partner’s user manuals the EBR partner or in the organization’s individual busi-
and other guidance about its processes. For financial pro- ness processes. Even if the CAE did not plan the audits
cesses, this usually includes recommended procedures for to reach overall conclusions, it may sometimes be pos-
the user and reports from a service auditor. International sible to do so. By aggregating the results of individual
Standard on Auditing 402 (Revised and redrafted), Audit EBR audits, the internal auditor may identify broader,
Considerations Related to an Entity Using a Third Party systemic issues. After performing the individual con-
Service Organization (ISA 402) provides guidance and tract audits, the internal auditor may consider forming
standards for external auditors; this guidance is useful for an overall assessment and conclusion on the effective-
internal auditors testing those relationships. [ISA 402 is ness of the organization’s EBR monitoring program. In
similar to SAS 70 (AU 324) in the US]. doing so, the internal auditor considers whether enough
work was done to reach overall conclusions.
ISA 402 discusses two types of reports that a service audi-
Report
tor may provide:
–– Type A – Report on the Design and Description of • Draft, discuss, and report the results – Results may be
Controls at a Service Organization; reported internally to aid in business process and control
improvements. Normally the auditor follows the usual

reporting process to communicate with management
and, if appropriate, with the board. However, when the
auditor finds deficiencies in the controls or operations
of the EBR, the auditor may also communicate with
those managing the relationship with the EBR partner.
Monitor Progress
• Provide feedback to the EBR – Those charged with
managing the relationship may communicate with the
EBR about the need to correct any deficiencies identi-
fied. If the deficiencies are not corrected, those manag-
ing the relationship and others in management deter-
mine how to best mitigate the risks, including whether
to continue the EBR. This may be considered when the
EBR is scheduled to be renewed or earlier for a signifi-
cant deficiency. This is easier if the contract allows for
renegotiation when significant deficiencies are found.
The internal auditor may periodically perform procedures
to determine whether management has appropriately ad-
dressed the findings identified and may be called upon to
assist management to determine whether EBRs are being
appropriately managed.
This guide provides internal auditors with guidance in au-

diting external or extended business relationships (EBR).
Management also may use this guide in managing and
monitoring the risks associated with these relationships.
Practice Guide Team Members

David W. Zechnich, CIA
Abraham D. Akresh
Gregory S. Dubis, CIA, CCSA
Gaston L. Gianni Jr., CGAP
Stephen J. Linden
Gilbert T. Radford, CIA
Susan L. Rudolph, CIA
those not in the internal audit profession, in un- The copyright of this position paper is held by The
cant issue. Position Papers are part of The IIA’s

247 Maitland Ave. F: +1-407-937-1101
– Practice Guide
Auditing Privacy Risks

2nd Edition
July 2012
Table of Contents
Introduction.................................................................................................... 2
Privacy Frameworks and Principles................................................................. 6
Privacy — Business, Nonprofits, and Government.......................................... 9
Auditing Privacy............................................................................................ 12
Top 12 Privacy Questions CAEs Should Ask................................................... 22
Appendix ...................................................................................................... 23
www.globaliia.org/standards-guidance / .
Executive Summary
Why Is Privacy Important? The Benefits of Good Privacy Governance
and Controls
One of the many challenging and formidable risk man-
agement issues faced by organizations today is protecting Good governance involves identifying significant risks to
the privacy of personal information about customers, em- the organization — such as a potential misuse, leak, or
ployees, and business partners. Consumers are concerned loss of personal information — and ensuring appropriate
with how businesses and organizations use and protect controls are in place to mitigate these risks. For business-
this information. Business owners and management want es, the benefits of good privacy controls include:
to meet the needs and expectations of their customers,
business partners, and employees; keep any commitments • Protecting the organization’s public image and brand.
pursuant to contractual agreements; and comply with ap- • Protecting valuable data on the organization’s cus-
plicable data privacy and security laws and regulations. tomers, employees, and business partners.
• Achieving a competitive advantage in the market-
Privacy is a global issue. Many countries have adopted pri- place.
vacy legislation governing the use of personal information,
as well as the export of this information across borders. • Complying with applicable privacy laws and regula-
For businesses to operate effectively in this environment, tions.
they need to understand and comply with these privacy • Enhancing credibility and promoting confidence and
laws. Examples of influential privacy legislation include goodwill.
Canada’s Personal Information Protection and Electronic
Documents Act (PIPEDA), the European Union’s (EU’s) For public-sector and nonprofit organizations, the benefits
Directive on Data Privacy, and privacy acts from Australia, of good privacy controls also include:
Japan, and New Zealand. Industry-sector privacy legisla-
tion from the United States includes the Gramm-Leach- • Maintaining trust with citizens and noncitizens.
Bliley Act (GLBA) for the financial services industry and • Sustaining relationships with donors of nonprofit
the Health Insurance Portability and Accountability Act organizations by respecting the privacy of their activi-
(HIPAA) for the health care industry. ties.
There are many news stories about security breaches that Sustaining Effective Privacy Practices
involve the loss or disclosure of personal information. A Most organizations recognize the need for implementing
greater number of organizations are outsourcing business good privacy practices. However, the challenge is sustain-
processes and applications that contain personal infor- ing these practices. With the proliferation of technology
mation in addition to using new technologies that can that enables the collection, use, disclosure, retention, and
increase their privacy risk profile. Stakeholders such as destruction of personal information in large volumes and
boards1, audit committees, and other oversight groups extensive outsourcing of information technology (IT) and
want assurance around the organization’s processes that business processes in domestic and overseas locations,
protect personal information. organizations may have difficulty identifying where this
1
The term board is used in this guidance as defined in the International Standards for the Professional Practice of Internal Auditing (Standards) glossary: “a board is an organization’s governing
body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the
organization, including the audit committee to whom the chief audit executive may functionally report.”
data is stored, how it is protected, who has access to it, • Provides information for a data protection system
and whether it is disposed securely. The rapid evolution of review.
technology, such as mobile computing, social networking, • Provides assurance over reputational risks.
radio frequency identification (RFID), and location-based
• Improves procedures for responding to privacy com-
services, has increased the availability of and accessibil-
plaints.
ity to personal information about customers, employees,
and others. This evolution has outpaced legal frameworks, This practice guide complements and expands on Prac-
as well as industry and individual organization’s standards tice Advisory 2130.A1-2. The guide provides the chief au-
and practices needed to protect the privacy of this valu- dit executive (CAE) and internal auditors with insight into
able asset. In addition, accountability and responsibility privacy risks that the organization should address when
for maintaining a privacy program is not always clearly as- it collects, uses, retains, discloses, and disposes of per-
signed and is often distributed throughout the organiza- sonal information. This guide provides an overview of key
tion. This can lead to inconsistency and uncertainty when privacy frameworks to help readers understand the basic
it comes to ensuring good privacy practices are in place concepts and find the right resources for more guidance
and are working effectively. regarding expectations and what works well in a variety of
environments. It also provides direction on how internal
Introduction auditors can complete privacy assessments.
As presented in The IIA’s Practice Advisory 2130.A1-2: What is Privacy?

Evaluating an Organization’s Privacy Framework, the in- Privacy can take on several meanings and is often dis-
ternal audit activity can contribute to good governance cussed in many contexts. It can be seen as descriptive
and risk management by assessing the adequacy of man- or prescriptive, as a moral interest or a legal right. It can
agement’s identification of risks related to its privacy ob- mean freedom from unwanted attention from others or
jectives and the adequacy of the controls established to freedom from observation or surveillance. It can cover the
mitigate those risks to an acceptable level. The following privacy of communication as well as information. In its
describes some of the benefits of undergoing a privacy au- simplest form, privacy has been defined as “the right to be
dit. let alone.”2
Privacy Audit Benefits Privacy definitions in the business environment vary

• Facilitates compliance with laws and regulations. widely depending on country, culture, political environ-
ment, and legal framework. In many countries, privacy is
• Measures and helps improve compliance with the
closely linked to data protection. Of particular importance
organization’s data protection system.
to organizations is how privacy is defined in their context.
• Identifies potential inconsistencies between policies Whether using one of the definitions in Figure 1, or sim-
and practices. ply defining privacy as the protection of the collection,
• Increases the level of data protection awareness storage, processing, dissemination, and destruction of
among management and staff. personal information, the many definitions of privacy can
be used by any organization to guide its privacy program.
2
“The Right to Privacy,” Warren and Brandeis, Harvard Law Review, Vol. IV December 15, 1890, No.5.
Figure 1–Privacy Definitions
“Privacy is the protection of personal data and is considered a

fundamental human right.”
— Organisation for Economic Co-operation and Development
(OECD) Guidelines, 1980
“Member States shall protect the fundamental rights and

freedoms of natural persons, and in particular their right to
privacy with respect to the processing of personal data.”
— European Union (EU) Directive, 1995
“The rights and obligations of individuals and organizations

with respect to the collection, use, disclosure, and retention of
personal information.”
— The American Institute of Certified Public Accountants/Ca-
nadian Institute of Chartered Accountants (AICPA/CICA), 2009
In today’s business context, privacy often refers to the per-

sonal information about an individual and the individual’s
ability to:
• Know how his or her personal information is han-

dled.
• Control the information collected.
• Control what the information is used for.
• Control who has access to the information.
• Amend, change, and delete the information.
Personal information is data that can be linked to or used
to identify an individual either directly or indirectly. Some
personal information is considered sensitive, as described
in Figure 2. Privacy of personal information can be main-
tained by assuring adequate treatment and protection.
Figure 2–Examples of Personal and Sensitive Information
PERSONAL • Name.
INFORMATION • Gender.
• Date of birth.
• Home address.
• Personal telephone number.
• Personal email address.
• Government identifier (e.g., identity card, social security number).
• Biometric identifier.
• Photograph or video identifiable to an individual.
• Behavioral information (e.g., in a customer relationship management system).
SENSITIVE HEALTH • Medical records.

INFORMATION • Health plan beneficiary information.
• Physical or mental health information.
• Provided health services or any information collected during the health service.
SENSITIVE FINANCIAL • Account numbers (e.g., bank accounts, credit cards).

INFORMATION • Financial history.
• Salary information.
OTHER SENSITIVE • Racial or ethnic origin.

INFORMATION • Religious or philosophical beliefs.
• Political opinions.
• Trade union membership.
• Legal proceedings and civil actions.
• Combinations of certain information.
Some information, although not personal by itself, be- Figure 3–Privacy Roles
comes personal and sensitive when combined with other
information. Sensitive personal information generally re-
When implementing a privacy program, there are major roles
quires an extra level of protection and a higher duty of
to consider:
care. Implementing a data classification methodology that
includes personal information is an effective way for the Data subject — Individual whose personal information is col-
organization to address the appropriate level of protection lected, used, disclosed, retained, and disposed of.
and duty of care needed. It provides guidance to help de-
liver and ensure consistent practices throughout the orga- Data controller — Organization that controls access to and
nization based on the nature of the data. processing of personal information.
Privacy officer — An organization’s privacy oversight, moni-

Privacy Protection toring, and contact function.
Privacy protection can be considered a process of es-
Privacy commissioner — A governmental oversight authority.
tablishing an appropriate balance between privacy and
multiple competing interests. To minimize intrusiveness, Service providers — Circumstances where third parties are
maximize fairness, and create legitimate, enforceable involved in processing personal information.
expectations of privacy, a set of principles governing the
processing of an individual’s personal information and a
model of the privacy roles involved has evolved over de- The way an organization manages personal information
cades (see Figure 3). The principles include a blend of about customers, employees, and business partners that
substantive concepts such as data quality, integrity, and it collects, uses, retains, protects, discloses, and disposes
limitation of use, and procedural principles such as the of is at the core of the privacy issue for businesses. Re-
concepts of consent and access rights. cent incidents of identity theft, mismanagement of per-
sonal information, and violation of privacy principles have
increased regulatory and consumer pressure on organiza-
tions to develop appropriate controls in relation to privacy,
data management, and information security.
Privacy Risks
Privacy is a risk management issue for businesses, gov-
ernments, and nonprofit organizations. Surveys continue
to show that consumers and citizens are concerned with
how organizations use their personal information. Failure
of management and data controllers to address the protec-
tion of personal information presents numerous risks to
the organization, including:
• Possible damage to the organization’s public image

and branding.
• Potential financial or investor losses. • Controls over outsourced service providers.

• Legal liability and industry or regulatory sanctions. • Incident response plans for breach of personal infor-
mation.
• Charges of deceptive practices.
• Plans to address corrective action.
• Customer, citizen, or employee distrust.
• Loss of customers and revenues. Practice Advisory 2130.A1-2 also recommends that inter-
nal auditors contribute to good governance and account-
• Damaged business relationships. ability by playing an assurance and advisory role in helping
their organization meet its privacy objectives.
Privacy Controls
Providing adequate governance and oversight by boards
and management is an essential control for addressing pri-
Privacy Frameworks and
vacy risks faced by the organization. Other basic privacy Principles
control activities include setting objectives, establishing
policies and procedures, and implementing monitoring 3.1 Dealing With Numerous Regulations and
and improvement mechanisms. In addition, the organiza- Complex Expectations
tion should assess privacy compliance and data handling Many privacy frameworks and principles have been devel-
practices and weaknesses, and benchmark them against oped and published since the late 1960s. The most use-
internal policies, laws and regulations, and best practices. ful frameworks are principles-based and usually address
the rights of the individual for privacy, but they also try
An effective privacy program includes: to give weight to the information rights of organizations,
businesses, and economies to operate effectively.
• Privacy governance and accountability.
• Roles and responsibilities. Laws and regulations addressing privacy needs are varied,
• Privacy statement/notice. increasingly complex, and rapidly increasing in number by
industry, local regulator, nation, or even region. Sound pri-
• Written policies and procedures for the collection, vacy frameworks can help an organization better comply.
use, disclosure, retention, and disposal of personal
The core of a useful framework is better articulation of
information.
fundamentally accepted privacy principles.
• Information security practices.
• Training and education of employees. Privacy needs and regulations have been a growing issue.
• Privacy risk assessments and maturity models. Recognizing the importance of privacy needs, the United
Nations formally sponsored studies as early as 1968 and
• Monitoring and auditing. developed principles based on human rights shortly there-
• Compliance with privacy laws and regulations. after. More recently, focus has been on developing “gener-
• Inventory of the types and uses of personal informa- ally accepted” privacy principles to help balance conflicts
tion. in perspective. For example, governments need to protect
• Data classification. individuals from harm, while also protecting society from
criminal or terroristic threats by preventive monitoring of
• Plans to address privacy risks for new or changed information or detective and investigative action using in-
business processes and system development.
formation trails.
Various recent privacy frameworks and principles are use- • Oversee and manage risks and compliance in an
ful to those who: organization.
• Assess compliance and audit privacy and security
• Oversee and monitor privacy and security programs. programs.
• Implement and manage privacy in an organization. • Regulate privacy.
• Implement and manage security in an organization.
Figure 4 provides an example of some significant privacy frameworks from laws, regulators, and professional organizations
as well as the commonalities of principles among these frameworks.
Figure 4–Privacy Framework Principles3

Japan Personal
AICPA/CICA Australia OECD
Canada PIPEDA EU Directive Information U.S. FTC5
GAPP4 Privacy Act Guidelines
Protection Act
Management. Accountability. Notification. Designate Accountability.
responsibility.
Notice. Openness. Identifying Information to be Notice, public Purpose Notice.

purposes, given to the data announcement of specification,
openness. subject. purpose of use. openness.
Choice and Use and Consent. Criteria for Consent. Collection Choice.
consent. disclosure. making data limitation.
processing
legitimate, data
subject's right to
object.
Collection. Collection, Limiting Principles No unjust method Collection
sensitive collection. relating to of collecting. limitation
information, data quality, (including
anonymity. exemptions, and consent).
restrictions.
Use, retention, Identifiers, use, Limiting use, Making data Purpose of use Use limitation
and disposal. and disclosure. disclosure, and processing does not exceed (including
retention. legitimate; its scope. disclosure
special categories limitation).
of processing;
principles related
to data quality,
exemptions, and
restrictions; the
data subject’s
right to object.
3
Adapted from the AICPA/CICA’s Comparison of International Privacy Concepts.
4
Generally Accepted Privacy Principles.
5
Federal Trade Commission.
Figure Japan
4 provides an example of some significant privacy
Personal
AICPA/CICA Australia frameworks OECD
Canada PIPEDA EU Directive Information regulators, and professional
from laws, U.S. FTC5orga-
GAPP4 Privacy Act Guidelines
Protection
nizations as well asAct
the commonalities of principles among
Access. Access and Individual The data these frameworks.
Access and Individual
correction. access. subject's right of correction. participation.
access to data.
Disclosure to Use and Use and Transfer of Transfer of Use limitation
third parties. disclosure, disclosure, personal data to personal (including
transborder data transborder data third countries. data, opt-out disclosure
flows. flows. exception, limitation).
delegation,
merger, joint use.
Security for Data security. Safeguards. Confidentiality Security control Security Security.
privacy. and security of measures. safeguards.
processing.
Quality. Data quality. Accuracy. Principles related Data integrity. Data quality. Integrity.
to data quality.
Monitoring and Enforcement Challenging Judicial remedies, Enforcement. Individual Enforcement.

enforcement. by the Office compliance. liability and participation
of the Privacy sanctions, codes (including
Commissioner. of conduct, challenging
supervisory compliance).
authority, and
Working Party on
the Protection of
Individuals with
Regard to the
Processing of
Personal Data.
3.2 Which Privacy Framework to Use? tomers/general public. Nonprofit organizations have em-
ployees/staff and oversight boards to manage their ac-
It is critical for management to consult its own legal coun-
tivities. Governmental organizations serve citizens and
sel for specific advice on applicable privacy laws and regu-
noncitizens and may have customers as well. In all cases,
lations in coordination with how the organization’s privacy
good governance recommends organizations consider pri-
framework and compliance approach is developed, as-
vacy risks, even when they may be based on divergent rea-
sessed, and monitored.
sons — from legal rights to just good business practice.
The frameworks illustrated in Figure 4 share many com-
4.1 Privacy Impacts
mon principles. In general, these frameworks are designed
to help implement principles articulated by the applicable Organizations use an individual’s personal information for
body. Some are globally, regionally, or nationally applicable, various business activities such as market research, cus-
while others cover an industry, regulatory body, or specific tomer ratings, rights management, direct marketing, and
set of professional or business needs. From a technical data trading. This information also may be of interest to
and legal standpoint, frameworks range from binding to the individual’s community, friends, family, and profes-
fully voluntary, to transnational and national legislation, sional network.
and to nongovernment organizations. Moreover, they en-
compass professional standardization bodies such as the Personal information also could be collected and used by
International Organization for Standardization (ISO) and domestic and foreign governments, competitors, disgrun-
industry-driven bodies such as the Payment Card Industry tled employees, hackers, cyberterrorists, saboteurs, and
(PCI) Security Standards Council. identity thieves. Threats to data subjects require organiza-
tions to protect personal information adequately, avoiding
No Single-source Solution adverse consequences and litigation.
Identifying a specific privacy framework that is appropri-
ate for any given organization depends on many factors; as
4.2 Privacy Threats
such, it is not addressed in this guidance. In many cases, Privacy threats and risks may be analyzed using a layered
privacy laws and regulations dictate and influence the pri- approach that depicts the organization, stakeholder, and
vacy framework the organization will adopt. In other situ- individual.
ations, individuals and organizations may apply common
sense, follow legislation, or pronounce how they plan to Threats to Organizations
respond to potential privacy concerns by group or indi- Organizations face tangible threats and risks: They realize
vidual declaration. In any case, it is critical to coordinate the consequences of privacy failures almost immediately.
and seek advice from legal counsel when developing or The impact on the organization in the event of a privacy
adopting a privacy framework. breach often attracts a high level of attention from the
press, supervisory authorities, and privacy watchdogs.
Privacy — Business, Functional threats may restrict an organization’s ability
Nonprofits, and Government to attain its objectives and can cause operational disrup-
tion, inefficiency, or ineffectiveness. Threats to an orga-
Commercial organizations have three major groups of
nization’s reputation potentially limit its future capability
stakeholders: owners/lenders, employees/staff, and cus-
to increase its customer base, serve the needs of clients,
or meet the expectations of citizens. Although privacy Threats to Individuals

threats and risks may limit an organization’s capability to Individuals often face direct consequences from privacy
perform, a competitive advantage can be gained by man- threats. They may be a victim of identity theft, bear extra
aging them effectively. Financial impacts to an organiza- cost, experience discrimination, or have limited choices
tion are of greatest interest to stakeholders; they are main- when they offer their personal information to organiza-
ly a consequence of functional and reputational issues tions such as governmental agencies, financial institu-
related to privacy risks. Additional privacy risks surface tions, retailers, vendors, and service providers.
when an organization outsources or cosources some of its
business operations, combines or discontinues business For example, when searching for new employment, indi-
activities, or hires, administers, or terminates employees. viduals submit detailed résumés to portals, consultants, or
Other business practices and control weaknesses that po- potential employers, who may use their personal informa-
tentially elevate the organization’s risk profile are listed in tion for other purposes without the individual’s consent
Figure 5. or knowledge. Personal information may be processed
through screening and profiling techniques, which may
Figure 5–Privacy Control Weaknesses When Pro- be intrusive, unfair, unreliable, or cause adverse effects
cessing Personal Data for the individual.
• Excessive collection. 4.3 Sector Privacy Issues

• Incomplete information.
It is crucial for internal auditors to understand the legal
• Damaged data. framework in which the organization operates and take
• Outdated information. into account all relevant laws, regulations, and other sec-
tor guidance. It also is important for the internal auditor to
• Inadequate access controls.
consult with legal counsel when gaining this understand-
• Excessive sharing. ing. This section covers examples of potential privacy is-
• Incorrect processing. sues by sector.
• Inadequate use.
Government and Citizen
• Undue disclosure.
A large variety of governmental institutions collect, store,
• Retaining personal information longer than neces- and exchange personal information linked to individu-
sary. als. Data subjects and data controllers face the constant
threat of personal information from vast government files
Threats to Stakeholders being misused, lost, or stolen.
Although implementing excessive privacy practices and
controls may restrict an organization’s internal and ex- Public-sector regulation determines how to treat personal
ternal processing efficiencies, stakeholders usually face information. In many countries, laws exist for the differ-
much higher risks from damaged reputation and litigation, ent levels of public entities. Other countries have rules
thereby reducing the value and profitability of their invest- that apply on a case-by-case basis. Therefore, government
ment. Maintaining good privacy practices is important in auditors have to focus on a broad variety of records and
securing the value of shareholders’ investments in a cor- programs — for example, real estate records, voter regis-
poration. ters, census and opinion polls, taxation records, national
security files, and information collected for welfare pro- count may be debited immediately, with a record of the
grams, social work, education, and law enforcement. transaction showing the date, time, location, and vendor.
When you are buying or surfing the Internet, retailers and
Community Life and Social Services marketing vendors may use behavioral advertising track-
Many social services institutions — insurers, public wel- ing techniques to monitor and gather personal informa-
fare programs, and social work programs, as well as other tion. In addition, tracing and tagging mechanisms such
nonprofit organizations — maintain significant and sensi- as RFID raise privacy issues about the capability to trace
tive databases to perform their activities. In many cases, individuals.
public- or private-sector regulations would apply. Some
institutions such as churches may be exempt from gen- Personal information is collected from many sources, in-
eral legal frameworks, which may lead to a weak privacy cluding point-of-sale, individuals, public sources, infor-
regime. Communities have a high risk of losing the con- mation brokers, and other organizations. This information
fidence and trust of their constituents when treating per- may be used to determine and contact potential custom-
sonal information without a high regard for confidentiality. ers, define customer clusters using data mining, or create
detailed profiles for targeting individual needs and inter-
Social security and governmental systems can cause ad- ests.
ditional exposures through excessive or inappropriate data
matching, or comparing personal information from a va- Sector associations offer various codes of conduct for
riety of sources. Often, there are specific rules, laws, and marketing companies. For example, the Australian Direct
agreements that determine in which circumstances and Marketing Association (ADMA) provides a self-regulatory
to what extent data matching and sharing is legitimate. code of conduct that covers 10 National Privacy Princi-
Another problem stemming from data matching is identi- ples (NPP) to be considered and addressed by all ADMA
fiers that could be abused to gather and match data, to members.
manipulate, or to steal an identity.
Communication and Social Media
Financial Services Communication and social media privacy include the
Financial service organizations such as banks, credit card ability to maintain the confidentiality of personal infor-
issuers, funds, and insurers maintain extensive sensi- mation, as well as the freedom to access media and com-
tive personal information such as credit ratings, income, munication channels. Personal information is captured by
spending patterns, place of residence, and credit history. customer, subscriber, and lender registers. The entirety of
As a result, many regulations and active supervisory bod- such data can be used to derive preferences and profile
ies exist. individuals. Additional transactional data provides a re-
pository of personal information related to purchase and
Marketing and Retail utilization patterns, including communication partners,
time, location, and content. This may cause issues such
The marketing and retail industry is an extensive collec-
as spam, eavesdropping, unexpected disclosure of com-
tor, user, and distributor of personal information. Personal
munication and content, and excessive government sur-
information maintained for marketing and retail purposes
veillance.
can range from address lists to detailed consumer profiles,
financial information, and purchase histories. For exam-
ple, when an individual makes a purchase, his or her ac-
Utilities, Transportation, and Travel and regulatory jurisdictions — or is shared with trading
Utilities and public transportation systems are sophisti- partners that use and process personal information on a
cated and networked. For example, when an individual transnational level.
passes a toll bridge, a toll is registered through RFID, the
license plate is registered with the toll agency, and a credit Auditing Privacy
card is charged. Another system registers the vehicle when
it enters a parking lot five minutes later. These integrated Auditing the organization’s privacy practices involves risk
systems can generate detailed profiles of individuals by assessment, engagement planning and performance, and
matching data from traffic and access control systems communication of results. However, there are addition-
with further transactional information. Many countries al aspects the CAE should take into account, including
foresee the need to establish extra safeguards to avoid the possible privacy breaches, staff management and record
excessive collection of personal data to protect citizen and retention issues, and privacy assessments performed by
consumer privacy in these circumstances. other assurance providers. Many of these aspects are cov-
ered by practices of the internal and external audit profes-
Health Care and Research sions. This chapter outlines some of the key issues and
methodologies.
Health care providers requires and collects sensitive per-
sonal information on patients. Personal information is
It is important for the auditor to communicate with legal
needed for clinical research, medical services, payment
counsel in the early stages of an engagement to discuss
processing, medical testing, and disease management. In
the objectives and scope of a privacy audit as well as to
the United States, HIPAA protects patients’ personal in-
determine whether the audit and report of findings should
formation and applies to health plans, health-care clear-
be performed under attorney-client privilege.
inghouses, health-care providers, and employers. The
legislation includes key elements such as limiting the
use and disclosure of personal information and requiring
5.1 Internal Auditing’s Role in the Privacy
administrative, technical, and physical safeguards to pre-
Framework
vent intentional or unintentional use or disclosure. Other An organization’s governing body is responsible for de-
countries have similar comprehensive laws. ciding the risk it is willing to take and to ensure that
resources are in place to manage risk according to that
International Businesses appetite. Addressing privacy risks includes establishing
Many laws and regulations require that individuals’ per- an appropriate privacy framework consisting of policies,
sonal information not leave the regulated zone. These procedures, and controls. Internal audit can evaluate that
rules help address the concern regarding loss of control framework, identify significant risks, and make appropri-
when personal information is transferred to another legal ate recommendations to enhance the privacy framework.
jurisdiction. Organizations that transfer such data could When evaluating an organization’s privacy framework, in-
be subject to significant embarrassment, damaged repu- ternal auditors should consider:
tations, or financial losses if the information is misman-
• Liaising with legal counsel to understand legal im-
aged. This creates serious challenges in a world of net-
plications:
worked systems, where information is transported across
borders within an organization, processed or stored in the o Laws and regulations in all jurisdictions in which
cloud — which potentially traverses national boundaries business is conducted.
o Impact of laws and regulations in all jurisdictions stated intent, applicable laws, and other regulations.
in which personal information transverses, is col- • Security practices, operations, and technical con-
lected, or is stored. trols in place to protect personal information.
o Determine whether the privacy assessment • Retention and disposal practices of personal infor-
should be under attorney-client privilege. mation.
• Liaising with persons responsible for privacy within For additional considerations, refer to the Appendix, un-
the organization to understand: der Privacy Control Weaknesses and Actions Matrix–An
o Internal privacy policies and guidelines. Illustration.
o Privacy policies intended for customers and the
Internal auditors should be careful not to assume respon-
public.
sibility for developing and implementing the privacy pro-
o The maturity of the organization’s privacy con- gram, as this may impair their independence. Due to the
trols. complex regulatory and technical landscape impacting
privacy, legal counsel should be engaged and consider-
• Liaising with IT specialists and business process ation should be given to procuring third-party expertise
owners to understand information security implica- for guidance as necessary.
tions:
o Internal security policies and procedures. 5.2 Engagement Planning
o Security policies communicated to customers and Examples of privacy-related themes that would impact the
the public. nature of work by the internal auditor include:
o Information flows, system controls, storage, and
• Ever-changing laws and regulations throughout the
use of personal information.
world to protect individual privacy.
o Incident response programs and plans.
• Protecting the personal information of individuals in
third-party/cloud computing arrangements.
Typical areas that internal audit may review when audit-
ing privacy include: • The maturity level of the organization’s privacy prac-
tices, policies, and procedures.
• Governance/management oversight. • New technologies and business strategies that ex-
• Privacy policies and controls. pose personal information to greater risk.
• Applicable privacy notices. • Outsourcing and off-shoring of business processes
that collect, use, retain, disclose, and dispose of
• Types and appropriateness of information collected.
personal information.
• Systems that process, store, and transmit personal
• Increased collection, use, disclosure, retention, and
information.
disposal of personal information.
• Collection methodologies.
• Continued threat of exposure to privacy breaches
• Consent and opt-in/opt-out management. underscoring the need for a comprehensive privacy
• Uses of personal information for compliance with incident response plan.
5.3 Prioritizing and Classifying Data • How would a privacy breach impact customer,
citizen (in case of a public entity), or investor confi-
A data inventory and classification program will assist in
dence? How much would it cost to recover trust and
identifying and prioritizing critical business data, includ-
confidence?
ing personal information requiring protection. The audi-
tor should determine the organization’s data classification
5.4 Assessing Risk
levels, the framework used to classify data, and the base-
line controls established for each classification. To assist Four major areas of risk should be addressed throughout
in this determination, the auditor can ask the following audit planning and when preparing the individual risk as-
questions: signment: legal and organizational, infrastructure, appli-
cation, and business process.
• Does the organization have a comprehensive data
classification policy? Are the levels of classification Legal and Organizational Risks
appropriate to ensure adequate controls? Are the Legal and organizational risks include areas such as non-
classifications defined adequately? compliance with laws and regulations, lack of governance
• Has personal information data been classified? Are and privacy leadership, and insufficient resources to
the levels of classification appropriate for ensuring maintain an effective privacy program. Some questions to
adequate privacy controls? Has the data classifica- ask when addressing legal and organizational risks as part
tion policy been communicated to those who are of the planning for a privacy audit include:
involved — including third-party service provid-
ers — in handling the data, from receipt through • Who are the designated privacy contacts? What
disposal? Is there a process to monitor changes in percentage of their time is devoted to privacy issues,
laws and regulations that would impact data classifi- and is it adequate?
cation? Are the classifications reviewed periodically • Do they have sufficient knowledge, authority, bud-
to ensure they remain appropriate? get, and management support to implement and
• Has data ownership for personal information been maintain the privacy program?
assigned, and have appropriate controls been estab- • How do the organization’s privacy leaders maintain
lished in handling the data? their knowledge of laws and regulations that impact
• What are the regulatory penalties for mishandling the organization? Have they noted the privacy laws
privacy-protected data? What legal recourse would and regulations that impact their business? How do
the impacted individuals have? they monitor changes in laws and regulations and
evaluate their impacts on the organization’s policies,
• How much harm can be caused to an individual if
procedures, and systems? How do they work with
the information was unintentionally disclosed to
the data owners to implement appropriate controls
unauthorized persons?
to respond to the changes?
• How widely would a privacy breach be disclosed?
• How involved are the organization’s privacy contacts
• Who would need to be notified? How will they be in the evaluation of new technologies and busi-
notified? ness programs to determine their potential privacy
• How costly would it be to remedy various types of impacts?
unauthorized privacy disclosures?
• If the organization uses cloud computing services, tape. Each time personal information moves and changes
has consideration been given to the privacy impli- format, new potential vulnerabilities are introduced.
cations arising from the geographic location of the
data and possible international transfers of personal Shredders, encryption, data leakage protection tools,
information governed by international security and locked files, and many other practices all play a role as
privacy laws, and do the contracts address these countermeasures to leaking sensitive data. Auditors
risks and security requirements adequately? should review the life cycle of personal information the
• Does the organization have a plan to respond to a organization obtains from collection to disposal and de-
privacy incident? Are the appropriate people in- termine whether it is handled with due diligence along
cluded in the plan? Is the plan documented and up each step.
to date? Does it include requirements for breach
notification in compliance with all the disparate Specific considerations for the auditor in evaluating the
international, national, and local regulations? Does infrastructure risks to privacy include:
the breach response plan include steps to lock down
involved systems to preserve evidence needed for • Does the organization have a current data map and
forensic investigation of the breach? inventory of all personal information, including
where it resides internally, where it flows into and
• Are templates of needed documentation for breach out of the organization, and how it is transferred
response already prepared, including a notification among third parties involved in handling personal
letter, frequently asked questions for those im- data on behalf of the organization? Each platform,
pacted, instructions for consumers to freeze credit database, and other technology infrastructure com-
reports, and a basic press release? ponent has its own risks to consider.
Infrastructure Risks • The auditors should trace personal information
both in transit over public and private networks and
A basic principle of information security is to provide
media handled by courier. Auditors also should fol-
confidentiality, integrity, and availability of data, which
low up on stored personal information in production
coincides with many of the goals of a privacy program.
as well as in backup and disaster recovery environ-
An audit of a privacy program will necessarily involve sig-
ments. Specifically:
nificant review of information security controls. A chal-
lenging area may be identifying how personal information o How is personal information encrypted during
flows in and out of the organization, as well as where and transmission into and out of the organization and
how the information flows among third parties outside the among third parties?
organization. o Is personal information stored on portable media
encrypted?
Information has to enter and leave the application to be
o Is personal information encrypted at rest?
useful, often changing media several times during its use-
ful life. The data can start as paper; be transported across • What role do mobile devices play in the collection,
the Internet; be processed in the cloud; obtained from, handling, and storage of personal information in the
sent to, or stored on mobile devices; stored on a magnetic organization?
disk; printed out and put into a filing cabinet; backed up • What general controls are in place on IT platforms
on an optical disk; and later sent off-site to a third party on where personal information is processed or stored,
including access controls, patch management, and ment and deployment of the application?
vulnerability scanning? • How does the application authorize and authenti-
• Is personal information processed or stored in the cate users? What user roles does the application
cloud? Do cloud service contracts include speci- have to limit access to “minimum necessary” based
fications to ensure the appropriate infrastructure on their job responsibilities? Are their authorizations
security and controls are in place, and does a right- reasonable?
to-audit clause exist? • How is user access to personal information tracked
• If personal information is being transferred or cop- and logged to ensure all successful and failed access
ied, is the post-transfer residual data treated with attempts can be researched and accountability can
the same set of rules as the originating data? be established?
• Are there external interfaces to other applications?
Application Risks Do these applications give an equivalent level of
control over personal information?
Discovering not only who, but what handles your informa-
tion becomes critically important when identifying privacy • What is the process for maintaining and upgrading
risks. Software can offer speed and accuracy to many er- the applications and the underlying database?
ror-prone manual functions. Unfortunately, software sys- • Who responds to potential security issues and en-
tems can be complex, with flaws and unintended behav- sures that security patches are tested and applied?
iors. Evaluating software functions is not simple because • Who is responsible for the general security of the
organizations often mix in-house developed software, cus- application?
tomized commercial off-the-shelf software, cloud-based
applications and supporting middleware, and operating • In development and testing of applications, is test
systems to process, share, and distribute their data. data used or has production data been made ap-
propriately anonymous for personal or sensitive
After the auditor identifies the automated processes, ba- information? If not, are the controls in the test en-
sic security questions need to be addressed regarding any vironment equivalent to controls in the production
application that handles personal information: environment?
• Does the application include processing or storing
• Was a privacy risk assessment performed to identify personal information data in the cloud? If so, are
and address privacy issues during software develop- the controls equivalent to the controls required for
ment? There is a trend of “privacy by design” that internal applications handling personal information?
incorporates privacy awareness into every facet of • What types of cookies, web beacons, or web pixels
daily business, including the development of new are used on the organization’s Web applications? Are
applications and processes involved in personal data they for internal use, or are they to gather informa-
collection and use. tion for third parties? What type of personal infor-
• Have data classification standards been implement- mation is collected, how is it used, and, if sensitive,
ed in the application to ensure appropriate baseline how is the user’s consent obtained and stored?
controls over personal information? Ensuring transparency in the use of these tracking/
• How was the implementation of the privacy require- information-collecting technologies is a key focus of
ments and associated controls validated in develop- current privacy litigation and regulation.
• Do any applications use geographic location tracking Approaches to developing a privacy audit program are
to provide services or obtain personal information identified in several regulations and publications. An in-
from customers? If so, what personal information is tuitively sequenced model for an audit program structure,
collected, how is it used, and, if sensitive, how is the which builds on the OECD criteria, is provided in Privacy
user’s consent obtained and stored? Handbook6. In comparison, Privacy–Assessing the Risk7
presents an exhaustive program with a more technolo-
Business Process Risks gy-oriented structure. Key principles and concepts con-
Despite technicians’ efforts to guard, encrypt, and other- tained in the AICPA/CICA Generally Accepted Privacy
wise secure personal information, the business process Principles–A Global Privacy Framework along with major
will eventually necessitate that personal information is international privacy laws and regulations can be very use-
used for its intended purpose. As the personal informa- ful in developing privacy themes for the audit program, as
tion is used, it is important that individuals treat it with shown in Figure 4.
the level of care corresponding to its data classification.
Measures to protect printed personal information should Privacy Assessments
follow the same principles used to classify and protect Many legal and regulatory bodies require, or at a mini-
electronic data. At a minimum, desks should be clean, mum, recommend that organizations conduct privacy as-
drawers and filing cabinets should be locked, and record sessments. Many organizations also realize an operational,
disposal and destruction should be secure. Discretion internal control, and risk management-driven need to re-
should be used in areas open to the public. Risk assess- view the effectiveness of privacy policies and practices.
ments, handling procedures, and training and awareness Existing assessment models provide extensive guidance
programs should help to identify and minimize privacy for setting up audit work programs. The objectives of a
risks inherent in the business processes. privacy assessment need to be established first. An exam-
ple of objectives includes:
5.5 Preparing the Engagement
Practice Advisory 2130.A1-2 outlines internal audit activi- • To determine inherent and residual privacy-related
ties related to an organization’s privacy framework. These risks.
activities include: • To provide assurance on controls over privacy risks.
• To verify adherence with a set of privacy standards
• Assessing the adequacy of management’s identifica- or regulations.
tion of risks related to its privacy objectives.
• To ensure compliance with the organization’s own
• Assessing the adequacy of the controls established privacy statement on the use, collection, retention,
to mitigate privacy risks. protection, and disposal of personal information.
• Identifying the types and appropriateness of per-
sonal information gathered, the collection method- The U.K. Information Commissioner’s Data Protection
ology used, and whether the organization’s use is Audit Manual contains a methodology for conducting
in accordance with its intended use and applicable data protection compliance audits together with a series
legislation. of checklists aimed at testing compliance with the Data
• Providing assurance on the effectiveness of the orga- Protection Act of 1998. The audit manual has been tai-
nization’s privacy policies, practices, and controls. lored to enable any data controller or data owner to help
6
Privacy Handbook: Guidelines, Exposures, Policy Implementation, and International Issues, Albert J. Marcella Jr. and Carol Stucki, John Wiley & Sons, May 23, 2003
7
Privacy: Assessing the Risk, Kim Hargraves, Institute of Internal Auditors Research Foundation, 2003
judge his or her organization’s own data protection com- house or outside legal experts to gain an understand-
pliance. Similarly, it also may be used by any organization ing of the privacy laws and regulations governing
offering such services to data controllers. The Audit Man- the business and the type of information handled,
ual describes general privacy audit processes: external as well as the known risks, designed controls, and
and internal audits, adequacy and compliance audits, and reported incidents.
vertical (functional) or horizontal (process) audits. Audi- • Identify the laws and regulations that govern per-
tors may begin an assessment by scoping the audit areas sonal information in the jurisdictions where the
— the whole organization, a function, a business process, organization conducts business.
or a category of information. A fully scoped audit is built
• Determine the regulations and governmental bodies
to cover all privacy principles. A risk-oriented approach
responsible for enforcing privacy rules. Ask the pri-
focuses on the key risk areas that can be derived by as-
vacy officer or the individual responsible for privacy
sessing structural, process, and data category dimensions,
compliance how such rules are codified in the orga-
based on impact and likelihood of events.
nization’s policies and procedures.
Ready-made work programs available from supervisory • Identify the customers’, employees’, and business
bodies, industry organizations, and privacy advocates may partners’ personal information that the organization
prescribe mandatory audit work and generally provide a collects. If a data inventory of personal information
good starting point for customized regular or one-time is available, that may provide a starting point for
audit work programs. The CAE or a delegate should re- the auditor. If there is no documented inventory,
view or approve each internal audit work program before interviews with business process owners and their
a privacy audit begins. Where a privacy commissioner or IT counterparts may be necessary to identify what
comparable function is commissioning or performing pri- personal information is collected. Also, automated
vacy reviews, internal audit should review both the suf- discovery tools can assist the auditor in this phase.
ficiency of the audits performed and the effectiveness of • Identify what, if any, personal information is shared
the follow-up mechanism in place. with third parties. Determine how the data is shared
with each of these third parties, including hard copy,
Foundation for a Privacy Audit–Understanding file transfer, and portable electronic media. The
the Data intent is to identify the formal and informal means
It is important to realize that compliance with applicable by which personal information is shared within
laws and regulations is a foundational issue that should be the organization and with other entities to identify
addressed when performing a comprehensive privacy risk potential threats, vulnerabilities, and overall risk.
assessment and audit for an organization. When planning Determine whether agreements with third-party
a privacy audit, the auditors should: service providers and business partners include pro-
visions on appropriate controls for handling personal
• Obtain a comprehensive understanding of the information from receipt through disposal.
personal information collected and stored, its use by
the organization, its processing by technology, and Identify Privacy Threats
the jurisdictions/countries through which the data is Internal auditors should identify privacy threats to the
processed. organization through research, benchmarking, and brain-
• Interview the individuals responsible for the organi- storming, and rank them according to the likelihood of
zation’s privacy policy and its enforcement and/or in- occurrence and impact. Risk assessment meetings with
business process owners also can ensure risks and threats latest regulatory and legal guidance? Is the guid-
to personal information are explored and identified thor- ance consistent across divisions in the organization?
oughly. Assigning values to threats and assets through a Identify any gaps for follow-up.
privacy risk assessment highlights where the strongest • Interviewing and observing the processing of personal
controls or countermeasures should be and the areas on information in action. The gap between the written
which the auditors should focus to identify vulnerabilities. policy and the operational action can be significant.
Sit with employees on the front lines in operations
A threat uses a vulnerability to exploit an asset. For the and IT to determine whether they are aware of the
purposes of privacy management, the asset is protected impact of their actions/processes in handling per-
personal information. So, who or what is the threat? The sonal information. Determine whether the outright
threat is the individual or process that, intentionally or requirements, as well as the spirit or intent of the
not, makes an organization’s personal information public privacy program, motivate the staff ’s decisions and
or allows any unauthorized access to personal information. actions.
A legitimate threat could be a business partner violating
• Reviewing third-party contracts and contacts. The
contractual obligations or a hacker employed by organized
depth of the review will depend on how the con-
crime. Empirically verified, threats posed by employees,
tractors and the personal information handled by
contractors or temporary workers, competitors, develop-
them rank in the threat matrix, but the auditor, at
ers, janitors, and maintenance staff — those who often
a minimum, should review for language compliant
have access to stores of confidential information — are
with applicable laws and regulations. If right-to-
very relevant. Whether through malice or carelessness,
audit clauses are included, are they exercised with
individuals with access to personal information have the
appropriate frequency and depth? Another com-
ability to make that information public. If personal infor-
mon technique that auditors can use in reviewing
mation is shared with business partners and contractors,
third parties is a security/privacy control survey or
the additional threats to and within their operations and
questionnaire. This will allow the auditor to obtain
processes should be evaluated.
information about the controls the third party has in
Identify the Controls and Countermeasures place to protect the organization’s personal infor-
mation and help to identify areas that may require
To determine what the organization is doing to protect per- follow-up.
sonal information from the worst threats, auditors should
validate the basic infrastructure and general controls in Using a third-party provider’s controls wholly, or in con-
place, as well as the specific application and internal conjunction with the organization’s own controls, may impact
trols throughout the organization that are active and relied the organization’s ability to achieve its control objectives.
on by the privacy program. Common steps to identify the A lack of controls or weakness in third parties’ control de-
controls include: sign, operation, or effectiveness could lead to such things
as loss of personal information confidentiality and privacy.
• Requesting and reviewing documentation. Review Hence, contracts with third-party providers are a critical
the privacy program as it is implemented in policies, element and should contain appropriate provisions for
procedures, and other documentation. How do the data and application privacy and confidentiality.
policies match up with the high-risk areas defined
in the privacy risk assessment? How often, if ever, By this point, the potential high-impact risks should come
are these policies reviewed? Do they incorporate the into sharper focus, but significant questions will remain
unanswered. It is time to test the controls and counter- systems. Vulnerability assessments and penetration tests
measures, hitting the highest impact assets and modeling require a set of skills that the internal auditor may need to
the highest impact threats. acquire, either through contracting third-party expertise
or training.
5.6 Performing the Assessment
Physical Control Tests
The common steps throughout an audit are described in
detail in The IIA’s International Professional Practices Personal information is not limited to digital data. If the
Framework (IPPF). When the auditor understands the or- organization’s modeled threat has access to the building,
ganization’s privacy objectives, its privacy risks, the types all the encryption, firewalls, and patched databases in the
of personal information handled, and the legal framework world cannot keep that individual from retrieving printed
in which the organization conducts business, an audit pro- information from the trash or accessing data through an
gram including scope, objectives, and timing of the audit unlocked workstation. Digging through trash for protected
can be developed and approved. The audit team will gath- information, identifying logged-in and unattended work-
er information, perform tests, and analyze and evaluate stations, and reviewing secure information storage and
the test work to prepare the report and recommendations. handling processes may identify vulnerabilities in the han-
dling of private information. This type of test can answer
Test Work Methodologies questions such as:
After the risk assessment is completed, traditional test
work is focused on general, application, and security con- • Is personal information being disposed of according
trols. Potential testing may include methods beyond the to policy and procedures?
usually applied techniques such as vulnerability assess- • Are documents containing personal information
ments and penetration tests, physical control tests, and stored securely prior to disposal or shredding?
social engineering tests. • Are working documents with personal information
stored securely?
Vulnerability Assessments and Penetration Tests
• Are documents or monitors that display personal
These methods are often cited as assurance methods for information viewable by unauthorized personnel?
network-accessible applications and infrastructure. Con-
sultants often use terms such as “tiger team” or “ethical • Are workstations locked when unattended?
hacking” to describe this methodology of identifying and • Is the application of privacy controls consistent
exploiting vulnerable services in a production environ- across various departments?
ment.
Social Engineering Tests
Vulnerability assessments generally focus on identifying Social engineering, in the context of security, is the tech-
potential vulnerabilities in information systems. The as- nique of gaining unauthorized access through nontechni-
sessments identify and prioritize vulnerabilities in the con- cal deception. In the scope of testing a privacy program,
figuration, administration, and architecture of information social engineering can be used to test the effectiveness of
systems. Penetration tests take vulnerability assessments controls regarding release of personal information. In oth-
one step further, exploiting the identified vulnerabilities. er words, can an individual obtain personal information by
Penetration tests generally require a higher degree of simply asking for it? The auditor could impersonate exec-
technical skill and could potentially disrupt production utives, network administrators, or other authorized users
to “con” or “sweet talk” passwords or personal information The CAE should be aware of IIA Performance Standard
from employees who act as key countermeasures. Social 2600: Resolution of Senior Management’s Acceptance
engineering tests can help answer some of the following of Risks in the event that he or she believes that senior
audit questions: management has accepted a level of residual risk that may
be unacceptable to the organization related to its privacy
• How effective are the organization’s privacy aware- program and practices.
ness and training programs?
• Is the balance between customer service and re- 5.8 Privacy and Audit Management
stricting personal information appropriate? The IIA’s IPPF reminds auditors to take regulations and
• Is the privacy program supported by the corporate risks into account when planning, performing, and report-
culture? ing assurance and consulting assignments. Many other
professional bodies, legislators, and supervisory authori-
Organizations have different attitudes toward the conning
ties issue a broad variety of guidance and regulations. The
of employees by internal auditors, so build a threat model
privacy of personal information and how the organization
and identify vulnerabilities carefully. Discuss the process
manages this asset should be considered when developing
with the human resources and legal teams to ensure the
the risk-based audit plan.
results will be used to improve privacy practices and not
for random firing of tested employees.
The internal audit staff is a key part of the organization’s
governance structure to address privacy. As such, training
5.7 Communicating and Monitoring Results programs and policies should be in place to provide inter-
Many privacy audits are evaluations of compliance pro- nal auditors with the necessary background and knowl-
grams, and the auditor should consult with legal counsel if edge to conduct privacy engagements effectively. There
potential violations are to be included in audit communi- also is a need for due diligence to ensure that auditors act
cations. Consultation and coordination with counsel can in accordance with relevant laws and policies when us-
reduce the conflict between the auditor’s responsibilities ing personal information during assurance or consulting
to document the results of the engagement with the coun- engagements. Internal auditors should understand that it
sel’s legal obligation to defend the organization. may be inappropriate — and in some cases illegal — to
access, retrieve, review, manipulate, or use personal in-
Some of the challenges specific to reporting the results of formation when conducting internal audit engagements.
a privacy audit include: Before initiating an audit, the internal auditors should in-
vestigate these issues and request advice from legal coun-
• Getting all of the participants involved in the scope sel, if needed. Finally, internal auditors should consider
of the privacy audit. An effective privacy program is related privacy regulations, regulatory requirements, and
practiced by nearly all areas of the organization. Be legal considerations when reporting information outside
sure that key participants have input. the organization.
• Developing a common, understandable language to
describe the risks.
• Ensuring that legal counsel has reviewed the pro-
posed audit plan and draft audit report before issu-
ance to ensure that compliance considerations are
addressed appropriately.
Top 12 Privacy Questions CAEs 9. Is any personal information collected by the orga-
Should Ask nization disclosed to or processed by third parties?
1. Does the organization have a governing body in
place to address the acceptable level of privacy risk 10. Do employees receive privacy awareness training
it will take? and have guidance on their specific responsibili-
ties in handling privacy requirements, issues, and
concerns?
2. What level of privacy risk is management prepared
to accept?
11. Does the organization have and provide adequate
resources to develop, implement, and maintain an
3. What privacy laws and regulations currently impact
effective privacy program?
the organization or may likely be required in the
near future?
12. Does the organization complete a periodic assess-
ment to ensure that privacy policies and proce-
4. What type of personal information does the or-
dures are being followed and meet new or current
ganization collect, who defines what is personal
requirements?
or private, and are the definitions consistent and
appropriate?
5. Does the organization have privacy policies and

procedures with respect to collection, use, reten-
tion, destruction, and disclosure of personal infor-
mation?
6. Does the organization have responsibility and

accountability assigned for managing a privacy
program?
7. Does the organization know where all personal

information is stored and who has access?
8. How is personal information protected at various

levels — databases, networks, system platforms,
application layers, and business process/functional
levels?
Appendix 2120-2: Managing the Risk of the Internal Audit Activ-

ity
The IIA’s International Professional Practices 2130-1: Assessing the Adequacy of Control Processes
Framework (IPPF) 2130-A1-2: Evaluating an Organization’s Privacy
Internal audit authoritative guidance is addressed in the Framework
IPPF, which comprises mandatory guidance and strongly 2200-2: Using a Top-down, Risk-based Approach to
recommended guidance. The three mandatory elements Identify the Controls to Be Assessed in an
of the IPPF are the Definition of Internal Auditing, the Internal Audit Engagement
Code of Ethics, and the International Standards for the
Professional Practice of Internal Auditing (Standards). The 2300-1: Use of Personal Information in Conducting
three strongly recommended elements of the IPPF are Po- Engagements
sition Papers, Practice Advisories, and Practice Guides.
Privacy Control Weaknesses and Actions
Specific privacy-related guidance can be found in the The Matrix–An Illustration
IIA’s Code of Ethics, Standards, and Practice Advisories. The following are examples of possible privacy control
Relevant portions of this guidance are included below. weaknesses and potential actions by the internal auditor
to address those weaknesses. Note that the examples of
IIA Code of Ethics weaknesses and actions were not intended to be compre-
The section on confidentiality states that internal audi- hensive and may not apply in your environment.
tors:
• Shall be prudent in the use and protection of infor-

mation acquired in the course of their duties.
• Shall not use information for any personal gain or
in any manner that would be contrary to the law or
detrimental to the legitimate and ethical objectives
of the organization.
IIA Practice Advisories

Although in some cases the following advisories are not
specifically related to privacy, they are key practice advi-
sories that the internal auditor should be aware of when
assessing an organization’s privacy program:
2010-1: Linking the Audit Plan to Risks and Exposures

2010-2: Using the Risk Management Process in Inter-
nal Audit Planning
2120-1: Assessing the Adequacy of Risk Management
Processes
Control Weaknesses Actions

The organization does not have a privacy policy and related control Discuss with senior management the need for a documented privacy
framework elements. policy and development of an effective privacy program.
The organization is not complying with its privacy policy. Review the organization’s privacy practices to ensure the organization
is following the commitments made to customers in its privacy notice.
The organization is not adequately protecting personal information it Review the organization’s information security practices relating to
collects, uses, retains, discloses, and disposes of. administrative, physical, and technical controls to ensure personal
information is protected adequately.
The organization has not identified the types of personal information it Map data flows of personal information collected through automated
collects, who has access to it, or where it is stored. systems or manual processes, who has access to personal information,
and the business need for such access.
The organization has not documented the business purposes for col- Map data flows of personal information collected through automated
lecting personal information to ensure it does not collect and retain systems or manual processes and identify the business purposes for
more than necessary. such collection and retention.
The organization does not have a formal governance structure related Discuss with senior management or the board, if necessary, the need
to privacy compliance. for a governance structure over privacy compliance.
The organization does not have internal privacy policies for protection Review current policies, standards, and procedures related to privacy
of personal information. of personal information to ensure they address areas such as data
classification, record management, retention, and destruction.
The organization has not established a compliance auditing or monitor- Include privacy compliance in the risk-based auditable inventory. Ob-
ing framework. tain an inventory of laws and regulations that apply to the organization
from the legal department. Complete a privacy compliance audit.
The organization does not have an incident response plan in place. Discuss with senior management — including the IT and legal depart-
ments — the need to develop an incident response plan in the event of
a breach of personal information.
The organization has not conducted formal privacy awareness, data Review privacy training and awareness materials to determine whether
handling, or information security training. they meet the needs of the organization. Review training records to
ensure employees who handle or have access to personal information
have undergone the required training.
The organization has not implemented a third-party vendor privacy Review contracts of third-party providers to ensure they contain
and security management program to create a consistently applied ap- protection requirements for personal information, contract termination
proach to contracting, assessing, and overseeing the privacy practices clauses, destruction of records containing personal information, and
of its vendors. a right-to-audit clause. Perform periodic audits to ensure third-party
providers are complying with the contract terms.
Authors:
Ken Askelson, CIA, CPA, CITP, CGMA
Stefanie Hardgrove, CIA, CPA, CIPP/IT
Michael Lynn, CPA
Sara Lademan, CIA, CISA, CGEIT, CISSP
David Williams, CISA, PCI-ISA
Reviewers:
Steve Hunt, CIA, CBM, CGEIT, CISA, CRISC, CRMA
Steven Jameson, CIA, CBA, CCSA, CFE, CFSA, CGMA,

CPA, CRMA
guidance.

247 Maitland Ave. F: +1-407-937-1101
120907
Auditing
the control
environment
APRIL 2011
Table of Contents
Introduction.................................................................................................... 2
An Organization’s Control Environment........................................................... 2
Scope and Approach to Auditing the Control Environment............................... 3
Practical Considerations in Auditing the Control Environment........................ 6
How to Audit the Control Environment............................................................. 9
Evaluating Control Environment Deficiencies................................................ 10
Communicating Results................................................................................ 11
Appendix ...................................................................................................... 13
Authors ...................................................................................................... 34
Executive Summary audits of higher control environment risks. The CAE may
choose to address these risks in (1) a single audit of the or-
The control environment1 is the foundation of an effective ganization’s control environment, (2) a series of audits fo-
system of internal control. Most of the well-publicized cusing on aspects of the control environment, and (3) au-
failures (including not only Enron and WorldCom, but dits of controls over specific risks (i.e., the scope includes
also the governance failures that led to the 2008 financial the assessment of controls performed within the control
crisis) were, at least in part, the result of weak control environment as well as within business processes). Since
environments. In the absence of a demonstrably effective the audit of an organization’s control environment will of-
control environment, no level of “design and operating” ten involve discussion of sensitive issues, the CAE must
effectiveness of controls within business and IT processes plan and execute these audits diligently.
can provide meaningful assurance to stakeholders of the
integrity of an organization’s internal control structure. There are many practical considerations that the CAE
should pay close attention to when planning and ex-
The International Standards for the Professional Practice of ecuting a control-environment related audit. First, there
Internal Auditing (Standards) Glossary defines the control should be support or buy-in from senior management and/
environment as: or the board or the audit committee for such an audit.
Second, internal auditing’s reporting structure should be
The attitude and actions of the board and management re- sufficiently independent to ensure minimal or virtually
garding the significance of control within the organization. no scope limitation of the audit team. Third, the CAE
The control environment provides discipline and structure should clearly articulate and communicate the criteria to
for the achievement of the primary objectives of the system be used, for the benefit of the auditee and the audit team
of internal control. The control environment includes the members, in assessing the control environment. Finally,
following elements: due attention should be given to differences in business
culture, language, local laws, etc., while conducting such
• Integrity and ethical values. audits in a global organization.
• Management philosophy and operating style.
Because the audit of the control environment includes
• Organizational structure. auditing “soft” controls, some of the traditional testing ap-
• Assignment of authority and responsibility. proaches and tools may not enable gathering of sufficient
direct evidence of their effective operation. The auditor
• Human resource policies and practices.
will need to think “outside-the-box” to gather sufficient,
• Competence of personnel. competent evidential matter in such audits to ensure that
audit findings are not challenged due to lack of rigorous
Central to any approach to auditing the control environ-
audit procedures and evidence.
ment is the assessment of risks from failure of each one
of the six individual control environment elements as de-
Control environment deficiencies need to be evaluated in-
fined in the glossary of the Standards. Upon determining
dividually and it should be understood how they interact
the risks relating to each one of the six control environ-
with or impact other controls in the organization. The cor-
ment elements, the chief audit executive (CAE) may con-
rective actions sometimes may need to extend beyond the
sider including in his or her annual audit plan one or more
immediate control environment element being evaluated.
1 Because “control environment” includes assessing an organization’s culture, the reader of this Practice Guide is also encouraged to review The IIARF publication, “Best Practices:
Evaluating the Corporate Culture,” by James Roth, 2010.
Communication of the control environment audit findings failures can miss the fundamental aspects of the orga-
involve many practical considerations such as determining nization’s foundation. An entity’s control environment is
the appropriateness of the standard audit report format, the foundation of an organization’s entire internal control
limiting the distribution of the audit report, confidential structure — financial, operational, and compliance — in-
nature of the findings, timeliness, and involvement of the cluding safeguarding of its assets. Internal auditors need
general counsel and the human resource (HR) function ei- to consider the risk of control environment failures in the
ther as the co-executive sponsor or in a supporting role, etc. development of annual (and other periodic) audit plans as
well as in planning each individual audit.
Auditing the control environment or one or more of its
elements either as stand-alone or part of other inter- The Standards defines the control environment as “the at-
nal audits is not only consistent with the intention of titude and actions of the board and management regard-
various standards within the International Professional ing the significance of control within the organization.”
Practices Framework (IPPF) but is also value-added to Specifically, Standard 2130: Control states, “the internal
the organization. audit activity must assist the organization in maintaining
effective controls by evaluating their effectiveness and
efficiency and by promoting continuous improvement.”
Furthermore, Standard 2130.A1: Control states “the in-
Introduction ternal audit activity must evaluate the adequacy and ef-
fectiveness of controls in responding to risks within the
The control environment is the foundation on which an
organization’s governance, operations, and information
effective system of internal control is built and operated
systems regarding the: reliability and integrity of financial
in an organization that strives to (1) achieve its strategic
and operational information; effectiveness and efficiency
objectives, (2) provide reliable financial reporting to inter-
of operations and programs; safeguarding of assets; and
nal and external stakeholders, (3) operate its business effi-
compliance with laws, regulations, policies, procedures,
ciently and effectively, (4) comply with all applicable laws
and contracts.”
and regulations, and (5) safeguard its assets. Part of the
blame for the 2008 financial crisis and other prominent
failures of the 21st century can be appropriately attributed
to failures in the control environment.
An Organization’s
The purpose of this Practice Guide is to provide guidance
to the internal auditor on the significance of the control
Control Environment
environment; how to determine which elements of the The Committee of Sponsoring Organizations of the
control environment should be addressed by engagements Treadway Commission (COSO) published the Internal
in the periodic audit plan; how to scope, staff, and plan Control–Integrated Framework in 1992. It uses a very simi-
such engagements; and which items to consider in per- lar definition to that in the Standards Glossary referenced
forming related audit work, including evaluating and re- above. The Executive Summary states:
porting deficiencies.
“The control environment sets the tone of an organization,
Focusing only on assessing and reporting on controls influencing the control consciousness of its people. It is the
within business and IT processes without assessing and foundation for all other components of internal control,
reporting on the related risk of control environment
providing discipline and structure. Control environment

factors include the integrity, ethical values and competence
Scope and Approach to Auditing
of the entity’s people; management’s philosophy and oper- the Control Environment
ating style; the way management assigns authority and re-
sponsibility, and organizes and develops its people; and the Even though the control environment has a pervasive ef-
attention and direction provided by the board of directors.” fect on risk management and internal controls across the
entity, any approach to auditing the control environment
Guidance on Control Number 1 from the Canadian Insti- should include an assessment of the risks from failure of
tute of Chartered Accountants Criteria of Control (CoCo) each individual control environment element and their in-
Board2 uses four criteria as the basis of understanding and teraction with each other. This Practice Guide uses the six
evaluating the effectiveness of an entity’s internal control elements described in the Standards Glossary definition of
structure: purpose, commitment, capability, and monitor- the control environment:
ing and learning. The criteria of commitment embodies
shared ethical values, integrity, HR policies and proce- • Integrity and ethical values.
dures, authority, responsibility, and accountability, and • Management philosophy and operating style.
an atmosphere of mutual trust — essentially the same as
• Organizational structure.
the 1992 COSO framework and The IIA Standards defini-
tions. • Assignment of authority and responsibility.
• HR policies and practices.
Similarly, the original Turnbull Guidance, Internal Con- • Competence of personnel.
trol: Guidance for Directors on the Combined Code, issued
by the Institute of Chartered Accountants of England The level of risks may vary across geography, business
and Wales in 1999, states that, “a company’s system of unit, process, etc. For example, the level of risk relat-
internal control will reflect its control environment which ing to integrity and ethical values may be higher in some
encompasses its organizational structure. The system will locations than others. Some business units may have a
include: control activities, information and communica- more established and experienced workforce, leading to a
tions processes, and processes for monitoring the continu- significant reduction in the risks associated with compe-
ing effectiveness of the system of internal control.” tence of personnel than in business units where personnel
turnover is high.
While there may be differences in control language around
the world, the intent and the principles are similar and There are several examples of situations that might influ-
consistent. An effective control environment functions ence the assessment of risk of failure for one or more con-
like a keystone in an arch bridge without which, no mat- trol environment elements:
ter what, the best material and craftsmanship cannot hold
the bridge together. Auditing the control environment and • Compensation and incentive structures can contrib-
assessing its effectiveness is an important part of an audi- ute to inappropriate behavior or excessive risk-taking.
tor’s assurance responsibility. • A high rate of employee turnover in key functions
can lead to a lack of experience and less reliable ex-
ecution of controls. This may be the result of a num-
ber of failures in the control environment, including
ineffective supervision and other HR process issues.
• The absence of a defined code of conduct and ethics The CAE may decide to address the risks in:
and/or a whistleblower policy, the failure to establish • A single audit across the organization.
an ethics hotline, the absence of a process to evalu-
ate the effectiveness of the code of conduct and • A series of audits, each of which addresses selected
ethics policy, a high number of reported frauds, or aspects of the control environment (such as the eth-
management over-ride of established controls can all ics hotline, board and committee operations, etc.).
lead to inappropriate activity that is not detected and • Audits of the control environment within selected
addressed timely. divisions or operating units3.
• Key functions may be staffed by personnel who do • A variation of the above.
not possess the necessary level of competence. The
level of risk is heightened if there is a perception that For instance, if individual operating units have their own
they hold their positions by virtue of their relation- ethics policies and autonomous compliance committees,
ship to senior managers, the promoters, or executive separate control environment audits at each unit may be
directors of the board. the best approach. If each division investigates ethics vio-
lations based on organizational guidelines and tips from a
• The board may not provide effective oversight over centralized hotline, an organizationwide audit focusing on
the conduct of the organization’s operations, and may the hotline combined with local audits focusing on the in-
not understand and monitor the broad organizational vestigations may be more relevant. If new personnel hiring
control environment. and screening is considered an important control environ-
• Key managers in the organization may tend to make ment activity and this process is centralized, an organiza-
business decisions without clearly understanding the tionwide audit may be the best approach.
risks related to their decisions; management may not
exhibit risk and control consciousness in its decision- Although the initial scope and approach can be altered
making. over time as better assessments and knowledge of the or-
• Processes relating to defining job descriptions for ganization’s control environment comes to light, the CAE
key positions may be weak, background checks and/ should consider:
or reference checks are not consistently performed,
or the organization has difficulty hiring and retaining • What are the control environment elements and
qualified individuals. their attributes (ethics policy, board governance,
compliance, fraud detection, etc.) that are key to the
Once the CAE has assessed the risks relating to each of entity’s control environment?
the six control environment elements, he or she may in- • How are these elements and related attributes man-
clude one or more audits of the higher control environ- aged during day-to-day operations? Is there clear
ment risks in the annual audit plan. The CAE may deter- accountability across the organization?
mine the frequency of auditing the control environment
• Can these elements and attributes be managed effec-
based on his or her assessment of risk of control failures
tively and efficiently in the scope of one large audit
associated with one or more of the control environment
or would separate focused audits of each principle
elements.
and related attributes be more effective and efficient?
3 Risks related to the control environment at a location or within a business unit might also be included as part of the scope of broader individual audit engagements of that location or busi-
ness unit. For example, an audit of a factory in China might include assessments of control environment elements (such as code of conduct and ethics awareness) as well as controls over
inventory and procurement. An audit of the shared service center in Ireland might include assessments of HR practices in addition to general ledger and accounts payable controls.
• Does the balance of centralized versus decentralized the individual audits into an overall assessment of
operations within the organization influence how the the control environment.
control environment operates and thus the nature of • Plan the individual audits so that differences in their
audit work? timing do not impede the overall assessment. In the
• What combination of control environment audits will case of a substantial time lag between individual
allow the CAE to provide assurance to senior man- audits, it may be necessary to perform procedures
agement and the board regarding the organization’s to update the results of earlier audits to support the
system of internal control? overall assessment.
• Should the control environment audit be one annual • Consider staffing the audits in ways that would
audit, one audit occurring periodically every few ensure continuity in the audit approach and consis-
years, or separate focused audits each year on differ- tency in the assessment process. Well-defined audit
ent principles rolling up into a review of all control programs also could help in this regard.
environment principles every few years?
Audits of the control environment often involve the dis-
• If the control environment has not been reviewed cussion of sensitive issues, including the actions or inac-
previously, what knowledge is there that would tions of senior management and the board. The internal
guide the decision on the audit approach? Would a auditor should consider the following issues during the
high-level risk assessment of all control environment planning phase:
principles provide a basis for decisions? Should a
first year audit be different than the ongoing audits • Whether specific skills will be required (e.g., requir-
that have been put in place in the audit plan? ing the use of internal or external subject matter ex-
• Should any aspect of the control environment assess- perts). These skills may be provided through the use
ment be performed at the direction of legal counsel; of guest auditors from other parts of the organization
for example, those pertaining to investigations? or from a co-source service provider.
• Are adequate audit resources available? • Whether conversations with senior management and
• Are there any explicit senior management and board the review of confidential documents require staff-
preferences (e.g., a stated desire to have the assessing the audit with mature, experienced personnel.
ment completed by a certain date)? In some situations, the CAE may decide to lead the
audit and/or personally perform certain aspects (e.g.,
As noted earlier, the audit plan may include a single audit the review of executive compensation or the results
of control environment risks. It may also include multiple of investigations involving senior management).
audits, each addressing separate elements of the control • Ensuring, through discussions well in advance of the
environment, or control environment elements in differ- audit, that the information required to perform the
ent locations or business units. Where the plan includes audit (especially any information considered confi-
multiple control environment audits and the CAE is plan- dential) will be available when required. In addition,
ning to provide an overall assessment based on the results the auditor should ensure that everybody asked to
of these individual audits, the CAE should: support the audit understands the need to provide
the audit team with the information required timely.
• Determine, during the initial planning phase, the This may require the involvement of the sponsor.
process that will be used to aggregate the results of
Control Environment Implications for Indi- The results of separate audits of the control environment
vidual Internal Audit Engagements should be considered when preparing the audit report:
Effective management of risks involves evaluating and
• When the control environment audit has already
monitoring not only business process controls but also
been completed, the auditor should consider those
controls relating to the entity’s control environment. If the
results and include them in assessing whether the
effectiveness of the control environment is not considered
system of internal control — including those in the
in an audit engagement, there is a risk that the assessment
control environment — is adequate.
of the adequacy of controls will be incomplete and per-
haps even misleading or incorrect. • When the control environment audit has not yet
been completed, the auditor should consider ac-
When defining the scope of any audit, the internal auditor knowledging that fact and make it clear that the
should consider the level of reliance placed on the effec- assessment of internal controls is based on the
tiveness of control environment activities, and the risk of assumption that the control environment activities
deficiencies in the control environment. In some cases, are effective. The auditor should consider revisiting
these risks and the related controls will be included with- his or her assessment of the adequacy of internal
in the scope of the audit. In others, reliance will be placed controls should the audit of the control environment
on separate audits performed of the control environment result in the identification of deficiencies.
or one or more of its six elements. �
For example, when developing the scope of work for an
audit of accounts payable (AP), the auditor should con- Practical Considerations
sider risks such as: in Auditing the
• AP staff and managers involved in the AP process Control Environment
(e.g., as approvers of invoices) are not familiar with
Discussed below are some of the practical considerations
the organization’s expectations for ethical behavior.
that should be taken into account while planning, execut-
• Hiring practices are not effective in staffing key AP ing, and reporting on audits in this area.
positions with experienced personnel.
Audit procedures around these risks might be included

Senior Management and Board Support
within the scope of the AP audit. However, if separate
or Buy-in
audits are being performed that specifically address these An audit of the control environment involves assessing con-
risks — for example, as part of audits of the code of controls that in many cases, directly and/or indirectly, are per-
duct and hiring practices — the auditor might want to formed by or at the direction of senior management or the
make reference to, and rely on the results of, those audits board. Whether the audit is of all or only one element of the
rather than duplicate the work. control environment, consideration should be given during
the planning phase as to whether the internal audit team
When the scope of work for an audit does not include cov- will be challenged in its need for access to the pertinent in-
erage for control environment risks, that limitation should dividuals and required documentation. Actions may be re-
be clearly communicated to management or the executive quired to mitigate and manage such challenges before the
sponsor during the planning phase and in the final report. commencement of the audit. These actions might include:
• Discussing the need for access during the develop- records containing discussions about allegations against
ment of the audit plan. senior management). This may be mitigated if the CAE
• Ensuring that the audit charter provides for appro- is able to obtain strong support from the board or execu-
priate access. tive management, with a clear mandate that the audit
team should be provided full access to the information
• Obtaining the support and sponsorship of the board
required to perform the audit.
and/or the chief executive for the audit. In some
cases, the support of the chief financial officer
If the CAE is unable to ensure that the audit team will
(CFO) or general counsel may be sufficient.
have full access to information necessary to complete an
• Written communications from an appropriate effective control environment audit, or will be unable in
member of the executive management instructing fact or perception to be sufficiently objective and inde-
the organization to provide the required access and pendent in its assessment of the control environment,
information. such scope restrictions and other limitations should be
• Attendance by the executive sponsor4 at the audit’s promptly reported to the board. The CAE should consid-
opening meeting. er whether to pursue an audit with appropriate scope re-
strictions communicated in the report per the Standards.
• Meeting with key members of executive manage-
Such restrictions do not relieve the CAE of her/his obliga-
ment who are in a position to enable access, early
tion to report to the governing board on the importance
in the audit planning phase. The internal audi-
and need to evaluate the control environment.
tor should ensure that the executives understand
what information and access is needed and why.
Criteria for Assessing the Control
Their concerns should be heard, understood, and
Environment
addressed where possible. Escalation to execu-
tive management or the board may be necessary to The audit planning process includes consideration of the
resolve continued denial of access. end-product of the audit, in particular what criteria will
be used for the assessment. As with other engagements,
Internal Auditing’s Position Within options include:
the Organization
The reporting structure for internal auditing also may be • An assessment of the controls included in scope us-
an issue. Standard 1110: Organizational Independence ing the organization’s standard rating system, togeth-
states that “the chief audit executive must report to a er with opportunities for improvement.
level within the organization that allows the internal au- • The assessment of the controls using a defined
dit activity to fulfill its responsibilities.” When the CAE control maturity model, in addition to the standard
does not report to an appropriate level, his or her ability rating and opportunities for improvement.
to perform an audit of the organization’s control environ-
• Assessment of controls as directed by the general
ment or its elements may be challenged. For example,
counsel with a specific objective in mind.
the CAE may be directed not to assess certain elements
of the control environment (e.g., competence of person- • Benchmarking (between companies and/or between
nel in the finance function), or have only limited access units/departments in the company).
to confidential information (such as board minutes or
4 For the purposes of this Practice Guide “executive sponsor” is a member of the executive team or board who will actively support the completion of the audit.
The CAE should use judgment, in consultation as neces- background checks on employees; in some geographies,
sary with the board or executive sponsor or the general practices related to the hiring and treatment of minorities
counsel, in determining what criteria will be used to mea- are accepted that would be illegal in other countries).
sure the effectiveness of the control environment. The
CAE should ensure the board, senior management, and Most multinational organizations have developed and
management responsible for the area being audited clear- published an organizational code of conduct that applies
ly understand how the results will be communicated if to all of their operations globally. In such cases, audits of
they are different from the standard internal audit report- the control environment already have a set standard on
ing process. which the internal auditors should base their audit scop-
ing, program, assessment, and reporting.
Whether the assessment will be of the design and operat-
ing effectiveness of specific controls or the overall quality However, not all organizations have adopted global stan-
of such controls using a particular control maturity model, dards, or the global standards may need to be adjusted for
the criteria for that assessment should be defined during the unit being audited to comply with local laws. In these
the planning process and clearly explained to the engage- cases, the internal audit team should, in consultation with
ment client including appropriate members of senior appropriate management, seek an agreement on what cri-
management. The CAE should consider discussing the teria or standard the audit team will follow. This should be
criteria to be employed with management and obtaining clearly communicated to operating management before
its agreement if possible. Significant value to the organiza- the start of the audit. If the standards differ in any way
tion can be obtained through such discussion and buy-in from the organizationally published standards, the reasons
prior to beginning the audit. for variation should be clearly explained.
Consideration of Local Culture and Values The CAE should consider variations in culture, values,
Local culture and values should be considered when de- and practices, as well as the need for language skills,5 in
termining the criteria for assessing business conduct and assessing risks relating to the control environment and in
other elements of the control environment. Business con- staffing each audit. The team should include individuals
duct and other standards and expectations are not uniform who are able to understand the context as well as the prac-
around the world, due in large part to differences in legal tices in each region and enable an objective, balanced,
traditions, social and cultural values, and the structure of and fair assessment of the adequacy of the control envi-
capital markets. For example, while there are traditions ronment practices.
in some emerging markets for commerce to be enabled
by payments to involved individuals and for purchases �Coordination with External Auditors
to be made from related parties, this practice is consid- While it is clear that internal auditing’s evaluation of an en-
ered illegal under the U.S. Foreign Corrupt Practices Act tity’s control environment, or one or more of its elements,
(FCPA) and UK Bribery Act. Nations differ in their gov- provides much needed assurance to senior management
ernance laws and regulations (e.g., on the requirement for and the board of directors, the internal auditor should
independent members of the board and other governing be aware that external auditors may not be able to place
bodies), or in other aspects of the control environment complete reliance on their work in assessing the control
(e.g., some restrict the ability of employers to perform
5 Lack of familiarity with the local business culture and language may present barriers to developing an effective understanding of differences in culture and behavioral norms from
that of internal auditors’ host country. Experience in, and understanding of, the local language and culture is likely to improve the auditor’s ability to understand and assess compli-
ance or lack thereof with organizational policies, standards, and expectations.
environment with respect to audits of the financial state- perceptions. These are considered soft controls because
ments and the system of internal control over financial re- it may be difficult to obtain direct evidence of their effec-
porting. Depending on the external auditor’s assessment, tive operation through traditional testing. Instead, self-as-
the external auditors may feel compelled to validate cer- sessments, surveys, workshops, or similar techniques may
tain controls themselves to bolster their independence. be better suited than traditional methods. Specifically:
Internal auditing should work with the external auditors
during annual planning sessions to minimize duplication • Employee surveys are frequently used in evaluating
and ensure the board and other stakeholders understand: the success of management’s efforts in establish-
(a) the external auditors may only review those aspects of ing an effective control environment. These surveys
the control environment that relate to a risk of a material provide useful measurements of the effectiveness
misstatement of the financial statements, (b) the external of one or more control environment elements. An-
auditors may be required to perform some levels of inde- nual employee ethics compliance forms are another
pendent assessment, (c) a review by internal auditing will example.
generally address a greater range of risks (operational and • The CAE should use his or her network within the
compliance risks in addition to financial reporting risks), organization. The network is critical in discerning
and (d) there is an opportunity for internal auditing to whether communication, tone at the top, manage-
contribute to improvements in related processes through ment walking the talk, and effective supervision are
its greater understanding of the organization as a whole. present on a day-to-day basis.
• The internal auditor’s knowledge of the organiza-
tion’s inner-workings is useful to further corroborate
the effectiveness of soft controls.
How to Audit the • The value of “auditing by walking around” cannot
Control Environment be overstated. By being present, visible, and obser-
vant across the organization, auditors can identify
This section elaborates on generic tools and techniques those intangible clues that may lead to deeper
to audit the control environment. The Appendix lists assessments. Associates who trust they can provide
potential audit procedures that might be considered in concerns to auditors with an appropriate degree of
developing an audit of an entity’s control environment anonymity are also valuable.
or one or more of its elements. The seven elements and
• Past audit results over control activities and the
attributes are taken from COSO’s Internal Control–Inte-
reaction and remediation from management also are
grated Framework control environment component.6 The
good indicators.
elements and attributes include financial, compliance,
and operating effectiveness control objectives. The Ap- • Internal auditors’ participation in committees,
pendix is presented only for illustrative purposes and is taskforces, workgroups, and involvement in ethics
not intended to be complete or comprehensive. and compliance program implementation and as-
sessments provide valuable insights over extended
An audit of some elements of the control environment periods of time.
will include a review of soft controls, such as those
As the above may provide primarily indirect evidence,
around ethics, integrity, competencies, behaviors, and
the auditor must always ensure sufficient evidence is
6 The seven control elements include the six from the Standards and one additional element — “Importance of the Board” — as defined by COSO.
obtained to support the audit conclusions and assess- However, limiting the assessment in this way is likely to
ment. Wherever feasible, the auditor should not hesitate result in a failure to understand and act on the pervasive
to employ data analytics to filter patterns and anomalies to effect of the deficiency. Preferred practice is for the inter-
generate hard evidence. nal auditor to work with management and understand any
or all implications for the management of critical risks and
Controls related to other control environment elements the effectiveness of related internal controls.
(e.g., publishing an updated and appropriate code of con-
duct and obtaining references and performing background For example, deficiencies in the hiring process may lead
checks for new employees) may lend themselves to tradi- to an inability to hire sufficient, competent personnel in
tional audit techniques. the accounting function. As a direct result, key account
analyses, bank reconciliations, and the resolution of un-
In planning the audit, the auditor should understand the matched cash receipts may not be completed timely.
different nature of soft and other controls, and select the
most appropriate techniques. When assessing deficiencies in control environment ele-
ments, the auditor should be alert to indicators that other
affected controls are also failing. These controls may be
business process, IT processes, or even other control envi-
Evaluating Control Environment ronment controls. For example, a failure to hire sufficient
staff can lead to shortcuts in processes. These indicators
Deficiencies may point to a higher level of risk to the organization from
the control environment deficiency.
Control environment deficiencies generally impact mul-
tiple areas or processes and are essentially pervasive in The auditor also should consider the implications of multi-
nature. Deficiencies in control environment might be ple, related deficiencies in control environment elements.
identified during audits that focus on (1) the organiza- Some deficiencies may have a greater effect when they are
tion’s control environment, or one or more of its elements; both present than simple aggregation of their individual
(2) the control environment or one or more of its elements risks may suggest. For example, when the absence of new
within a business unit, location, or equivalent; and (3) one employee training in an organization’s code of ethical con-
or more control environment elements as part of other in- duct is coupled with the failure to obtain references and
ternal audits. perform background checks on new employees, the risk
of hiring potentially incompetent personnel — and even
1. Evaluating deficiencies found during an audit that is individuals with a criminal record — is exacerbated.
focused on the organization’s control environment or
one or more of its select elements. Even if the audit report is limited to disclosure of the
deficiencies without consideration of their pervasive ef-
The internal auditor may choose to assess the deficien- fect, the CAE should discuss the implications and related
cies within the context of the control environment audit. management actions with the board or audit committee.
In other words, the audit report may limit discussion to
whether the individual control environment elements are The corrective actions required to address control envi-
effective. ronment deficiencies may have to be extended beyond the
immediate control environment element; for example, to
include greater monitoring of affected controls in busi- The assessment of the overall system of internal controls
ness processes. for the business risks covered by the audit should con-
sider whether the control environment deficiencies are
2. Evaluating deficiencies found during an audit that is compensated for or mitigated by other controls that are
focused on the control environment within a business operating effectively within or outside the business unit/
unit, location, or equivalent. function/area that is being audited.
In addition to the analyses discussed above, the auditor

should determine whether control environment issues
identified in a localized audit are indicative of more per-
vasive issues across the business units, areas, or processes
within the organization. For example, if hiring practices in When communicating the results of a control environ-
the divisions are deficient, could the related procedures, ment audit, the auditor should consider:
processes, and systems be deficient in other divisions? If
there is a lack of awareness of the organization’s code of • Whether the standard audit report format, includ-
conduct, is it due to the fact that the current version of ing the standard assessment scale, should be used.
the code was not posted on the corporate portal, thereby In some cases, senior management or the board may
affecting all parts of the organization? Has the code been prefer a presentation rather than a standard audit
translated into local languages, to support all parts of the report.
organization?
• In many situations, limiting the distribution of the
report. This may be achieved in some organizations
The internal auditor and the CAE should discuss the po-
by clearly marking the report as confidential and
tential implications of local control environment deficien-
thereby limiting its distribution. However, the CAE
cies on the organization as a whole, and adjust the audit
should clearly understand how and when findings of
plan accordingly. In some cases, additional audit work
control environment deficiencies related to the sys-
may be required to assess whether the deficiencies are
tem of internal control over financial reporting need
widespread rather than confined to the unit, country, etc.
to be communicated to the external auditors.
covered by the audit.
• Additional safeguards if the audit was performed at
3. Evaluating deficiencies found during an audit that the direction of the general counsel, especially when
focuses on the control environment or one or more of there may be a need to protect the confidentiality of
its elements as part of another audit (e.g., an audit of the report under client-attorney privilege or similar
AP that includes assessing the competence of manage- protective measures.
ment and staff and awareness of the code of conduct • Whether the audit did not include procedures relat-
and ethical expectations). ing to an element of the control environment that is
relevant to the assessment. Such a scope limitation
Many of the issues discussed above also apply here. The should be clearly reported in the final audit report,
internal auditor should confer with the CAE and consider even if the exclusion is based on the risk assessment
whether the control environment issues that have been as discussed above.
identified might extend to other parts of the organization.
• If the review of the control environment was per-
The audit plan should be adjusted accordingly.
formed as part of a risk-based business audit in line
with the audit plan, whether to include a discussion �Nature and Tone of Recommendations
of issues related to the control environment as part
Recommendations in the report should be practical with
of the audit or as part of a separate report on the
positive intent and should address the root cause for the
overall control environment.
identified control environment risk.
• Varying the timelines for issuance of the report based
on: Follow-up of Recommendations
• Significance of the issues identified. �Much like other internal audits, the recommendations
• Timing of the quarterly attestation on internal con- brought out in these audits should also be followed-up.
trols over financial reporting and compliance. Given the sensitive nature of the findings, the follow-up
• The scope and objective of the audit. may be performed by internal auditing or by others in the
organization such as the audit committee and/or the board
• The nature or sensitivity of the issues identified. of directors.
• The audience of the audit report.
In addition, the CAE should consider the following spe-
cific factors in determining how to communicate the re-
sults of control environment audits.
Sensitive Information
In some situations, communication of risks within the
control environment due to the nature of the control defi-
ciencies may be considered sensitive or confidential. For
example, if there is an issue at the senior management
level that could have a potential adverse bearing on the
perception of their integrity and represent a potential
compromise of organizational values, the CAE should
consult with appropriate members of the senior manage-
ment team, especially the general counsel, and the board
to determine the appropriate communication strategy and
process — including how corrective action will be docu-
mented and monitored.
�Identification of Significant Issues

If an audit of the control environment identifies issues of
significance, the CAE should review the results of prior
internal audits to determine whether earlier assessments
should be revised. The results of this review should be
communicated to senior management and the board. This
may result in changing the audit plan mid-stream because
of a potential change in the organization’s risk profile.
�Appendix
The following is an example of audit procedures that use seven basic principles for a broad-based audit that assesses the
control environment. The principles, as well as the elements and attributes, are adapted from COSO’s Internal Control–
Integrated Framework control environment component.7 The elements and attributes include financial, compliance, and
operating effectiveness control objectives.
Control Design 8
Elements and Attributes (methods to achieve control environment Control Testing Considerations
principles, elements, and attributes)
1. Integrity and Ethical Values: Basic Principle — Sound integrity and ethical values, particularly of senior management, are developed and
set the standard of conduct for doing business.
Developed — senior management develops Senior management conveys the message that Conduct periodic, anonymous “pulse” surveys
a clearly articulated statement of values or integrity and ethical values cannot be compro- of employees as to the ethical attitude com-
ethical behaviors that are understood by key mised, both in words and in actions. municated by senior management.
executives and the board.
Senior management has developed a code Review the existence and content of the
of ethics that emphasizes the organization’s organization’s code of conduct and ensure a
expectation that employees will act with process exists for periodic updating of the
integrity in all actions related to their scope of code.
employment.
Review the existence and content of the
Senior management has developed a code organization’s code of business conduct and
of business conduct that emphasizes the ensure a process exists for periodic updating
organization’s commitment to fair and honest of the code.
dealings with customers, suppliers, and other
external parties. Review the mix between fixed and variable el-
ements in employee compensation plans, and
Performance expectations and incentives are the relative weighting on short-term financial
designed so as to not create undue tempta- performance in compensation plans.
tions to violate laws, rules, regulations, and
organization policies and procedures. Review senior management’s compensation
system to understand if it unduly incents
excessive risk-taking and the override of the
entity’s system of internal control.
7 Adapted from “Internal Control over Financial Reporting-Guidance for Smaller Public Companies: Volume III, Evaluation Tools.” COSO, 2006, pages 25-31 for Control Environment
Principles, Attributes and related summary of Entity-wide Controls and Management Documentation. Auditors should consider obtaining and reviewing the COSO literature found
at www.COSO.org for more in-depth guidance and methodology tools.
8 The suggested control testing in many instances asks the internal auditor to obtain certain documentation. In practice the auditor may encounter situations where the documentation
may be missing or may not exist. It is important that this lack of documentation be listed when appropriate as a significant audit finding by the auditor.
Control Design
Communicated — senior management New employees receive a copy of the Review the signed employee representation
communicates its commitment to ethical organization’s code of ethics and code of that they have read and understood the
values through words and actions. business conduct and are trained as to how codes of ethics and business conduct and,
these guidelines apply to specific factual for existing employees, their certification
situations common to the organization’s that they have not violated the codes during
business environment. the past year and are aware of no other
such violations (or, if they are aware of such
Existing employees are provided with updated violations, they have 1) communicated these
copies of the organization’s code of ethics and violations as directed by their compliance
code of business conduct at least yearly, and or ethics office training and 2) if based on
receive periodic retraining on the application their perspective the violations have not
of these guidelines to the organization’s been resolved, communicated the potential
business environment. violations via their company’s ethics hotline.
Customers, vendors, and other external Review organization training courses,

parties receive a copy of the organization’s including the process for ensuring that all
code of business conduct at least yearly, by employees attend these courses on the codes
inclusion in other mailings to these parties. of ethics and business conduct.
Contractual arrangements with these parties
should include requirements for adherence to Review the organization’s policy for including
the organization’s code of ethics and code of the code of business conduct in a yearly
business conduct. mailing to customers, vendors, and other
external parties. Verify that the code of
business conduct is included in mailings.
Control Design
Reinforced — the importance of integrity The organization’s newsletter (and other Review editions of the organization’s
and ethical values is communicated and internal communication devices) highlights: newsletter during the year to examine whether
reinforced to all employees in a manner a. Ethical dilemmas often arising in coverage of ethical dilemmas, ethical failures,
suitable for the organization. the organization’s industry and how and ethical successes are included.
management expects employees to act
in these situations.
b. Ethical failures (with names disguised)
and the consequences of these failures
for both the organization and the
employees involved.
c. Ethical successes (with names
retained and highlighted) with the
situation described, the employee
behavior, and why the behavior was
consistent with organization guidelines.
Control Design
Monitored — processes are in place to All new employees are required to sign Review the signed employee representation
monitor the organization’s compliance with the code of ethics and business conduct that they have read and understood the
principles of sound integrity and ethical indicating that they have read and understand codes of ethics and business conduct and,
values. these codes. for existing employees, their certification
that they have not violated the codes during
All existing employees are required to sign an the past year and are aware of no other
annual contract acknowledging that they have such violations (or, if they are aware of such
read the most recent versions of the code of violations, they have communicated these
ethics and business conduct and that they violations via the hotline).
understand and are in compliance with these
codes. Review organization training courses,
including the process for ensuring that all
HR or hiring department management monitor employees attend these courses, on the codes
whether new and existing employees have of ethics and business conduct.
completed the required training on the codes
of ethics and business conduct. Review the existence of the hotline —
including the organizational unit responsible
The organization has established a hotline for managing and overseeing the hotline.
— a reporting mechanism that permits Examine the organization’s efforts to
anonymity, and preferably staffed by an publicize the hotline. Review a sample of
internal group with a direct reporting calls received on the hotline and examine
relationship to the board or by an outside the appropriateness of investigation and
vendor — for receiving reports of suspected resolution of allegations.
violations of the organization’s codes of ethics
and business conduct and publicizes the
existence of the hotline.
Control Design
Deviations Addressed — deviations from A senior executive, preferably with a direct Review the organizational unit, and related
sound integrity and ethical values are reporting relationship to the board, is reporting relationships, responsible for
identified timely and are addressed and responsible for oversight of the organization’s oversight of ethics and compliance.
remediated at appropriate levels within the ethics and compliance function.
organization. Examine the appropriateness of investigations
Allegations of violations of the organization’s of allegations of violations of the
codes of ethics and business conduct are organization’s code of ethics and business
appropriately investigated, and the necessary conduct, including corrective, disciplinary, and
corrective, disciplinary, and remedial actions remedial actions taken.
happen timely. This includes hotline reported
matters. Review the organization’s investigation
policies and practices to ensure that
appropriately qualified personnel are
performing the investigations. Evaluate
the qualifications of the investigators and
ascertain that there is good segregation of
duties between investigations, operating
management, and the discipline decision
makers.
Control Design
2. Importance of Board: Basic Principle — The board understands and exercises oversight responsibility related to financial reporting,
applicable laws and regulations, operating effectiveness and efficiency, and related internal control.
Evaluates and Monitors Risk — the board The board develops governance principles and Review the board’s governance principles,
actively evaluates and monitors: included among these principles is the board’s and that among these principles is the
• The risk of management fraud via responsibility for evaluating and monitoring board’s responsibility for evaluating and
override of internal controls. risks, especially the risk of fraud by senior monitoring risks. Inquire of the board, senior
• Risks affecting the achievement of management. management, the CAE, and the external
internal control objectives. auditor as to the board’s processes for
The board actively, or by delegation of the evaluating and monitoring risks.
audit committee, evaluates and monitors the
risk of management fraud by overriding of Review board agenda, minutes, and
internal controls. information packets for evidence that the
board evaluates and monitors the risk of fraud
The board actively evaluates and monitors by senior management via management’s
the risk of not achieving internal control override of internal controls. Inquire of the
objectives. board, senior management, the CAE, and
the external auditor as to board processes
for evaluating and monitoring the risk of
management fraud and management override
of internal controls.
Review board agenda, minutes, and

information packets for evidence that the
board evaluates and monitors the risk of
not achieving internal control objectives.
Inquire of the board, senior management,
the CAE, and the external audit partner as
to the board’s processes for evaluating and
monitoring the risk of not achieving internal
control objectives.
Oversees Quality and Reliability — the The board charter vests oversight Review the board charter to verify that the
board provides oversight for the effectiveness responsibility for the organization’s internal board has responsibility for oversight of the
of the system of internal control. control system with the board. internal control system. Review board meeting
agenda and minutes denoting substantive
The board receives periodic reports on the board attention to this issue.
effectiveness of internal control.
Review board meeting agenda, minutes, and
information packets for evidence of reporting
to the board on the effectiveness of internal
control.
Control Design
Oversees Audit Activities — the board The board charter vests the audit committee Review the audit committee charter to verify
oversees the work of all audit functions, or the similar governing body with the that the audit committee is vested with the
including internal and external auditing, authority to oversee the: authority to oversee the:
and interacts with regulatory auditors, as
necessary. The board has the exclusive • Financial reporting and external • Financial reporting and external audit
authority to hire, fire, and determine the audit processes, and the exclusive processes, and with the exclusive
compensation of the external audit firm and authority to hire, fire, and determine the authority to hire, fire, and determine
the CAE. compensation of the external audit firm. the compensation of the external audit
firm. Inquire of board members, senior
• The internal audit activity, and the management, and the external auditors
authority to hire and fire the CAE and to as to the board’s role in overseeing the
approve the budget for the internal audit financial reporting and external audit
activity. processes, including responsibility for
selecting the audit firm and determining
the audit fee.
• Internal audit group, and with the

authority to hire and fire the CAE, and
to approve the budget for the internal
audit activity. Inquire of board members,
senior management, and the CAE as to
the board’s role in overseeing the internal
audit activity, including responsibility
for selecting the CAE and approving the
internal audit budget.
Independent Critical Mass — the board The organization’s charter or bylaws requires Review charter or bylaw provisions requiring
has a critical mass of members who are a critical mass of independent directors independent directors on the board, and
independent of management. on the board, and is appropriate given the evaluate the number of independent directors
organization’s size, industry, and regulatory given the organization’s size, industry, and
environment. regulatory environment. Review director
backgrounds for those directors classified as
independent.
Control Design
Financial Expertise2 — the board has one or The board charter requires at least one Review the backgrounds, including education
more members who have financial expertise. member to have financial expertise and and experience, of board members to evaluate
requires all members to be financially literate. the nature of their financial expertise and
literacy.
At least one member on the board has
substantive experience in accounting
(e.g., certified public accountant, CFO, or
controller).
Frequency — the board meets regularly, The charter for the board requires it to meet Review the charter for these provisions.
often in executive sessions, and devotes no less frequently than quarterly. Evaluate whether the board was in compliance
sufficient time and resources to adequately with this aspect of the charter. Inquire of
carry out its functions. The board holds an executive session at every board members as to whether the number
meeting. of meetings was sufficient (separately for
independent and non-independent directors).
The board allocates time to meet alone
with the partner from the registered public Review board minutes, and inquire of board
accounting firm and with the CAE at every members as to whether an executive session
meeting. was held at every meeting.
The board devotes sufficient time to carry out Review board minutes, and inquire of audit
its responsibilities (e.g., as a rule of thumb, committee members as to whether the board
the board should meet for 1-2 days at each had the opportunity to meet alone with the
meeting and the audit committee should meet audit partner from the registered public
for 3-4 hours at each meeting). accounting firm and with the CAE at every
meeting and does so on multiple occasions
The chairman of the board, if independent, throughout the year.
or, if not, the lead independent director is
primarily responsible for developing the Review board minutes as to the length of
agenda for board meetings. Other directors, board meetings. Inquire of board members
the CAE, senior management, and external as to whether the number of meetings was
auditors have input to the agenda-setting sufficient (separately for independent and
process. non-independent directors).
9 Although COSO’s Small Business Guidance focuses on internal controls over financial reporting, it is important to note that boards need and have other experts (e.g., risk manage-
ment, etc.) as members on various committees. In such cases, it is expected that educational background and related experience of such individuals also be evaluated.
Control Design
The board has input into the packet of Inquire of the chairman of the board (lead
information received before board/committee independent director) and other board
meetings. The information packet is received members as to the process for setting the
at least three days before the meeting. board agenda. Confirm that board members
have an opportunity to review and provide
Board members spend sufficient time input into the setting of the agenda.
reviewing the pre-meeting information packet.
Inquire of board members as to their
The charter for the board authorizes the involvement in determining the content of the
board to retain outside advisers or counsel as information packet and appropriateness of the
needed. advanced distribution for review prior to the
meeting.
Inquire of board members, senior

management, the audit partner, and the
CAE as to board preparedness for meetings.
Review the annual board peer evaluation
process, ascertaining that board preparedness
is evaluated.
Review the charters for provisions allowing the

board to retain outside counsel and advisers
as needed. Inquire of board members as to
Control Design
3. Management’s Philosophy and Operating Style: Basic Principle — Management’s philosophy and operating style support achieving
effective internal control.
Set the Tone — management’s philosophy Management emphasizes the importance of Inquire of relevant employees as to their
and operating style emphasize high-quality meeting internal control objectives through perception of the importance of complying
and transparent internal and external both its words and actions. with internal control objectives. Review
reporting, and the importance of effective criteria for employee performance reviews,
internal control and risk management. ascertaining whether employees are held
accountable for meeting internal control
objectives.
Review speeches and presentations to internal

and external parties that may reflect the tone
and style of leadership.
Independently observe or inquire with

attendees of executive and/or board meetings
to confirm that the extent and depth of
conversations regarding risk, controls, and
compliance matters is appropriate given the
matters facing the organization.
Review employee survey results where

questions concerning the culture and
leadership have been asked.
Articulate Objectives — management Internal control objectives over financial Review organization operating and accounting
establishes and clearly articulates internal reporting, compliance with applicable laws manuals and other means of disseminating
control objectives. and regulations, efficiency and effectiveness internal control objectives throughout the
of operations, and safeguarding of assets organization. Inquire of relevant individuals
are communicated to relevant individuals as to their understanding of internal control
throughout the organization. objectives.
Select Principles and Estimates — The organization follows a periodic, disciplined Review documentation of the organization’s
management follows a disciplined, objective process for establishing internal control process for establishing internal control
process in developing internal control objectives over financial reporting, compliance objectives. Inquire of senior financial and
objectives. with applicable laws and regulations, operating management as to their involvement
efficiency and effectiveness of operations, and in establishing internal control objectives.
safeguarding of assets and involves senior
financial and operating management.
Control Design
4. Organizational Structure: Basic Principle — The organization’s organizational structure supports effective internal control.
Establishes Responsibility – management The organization designs a structure that is Review the entity’s organizational structure.
establishes internal reporting responsibilities appropriate given its size, industry, age, and Compare the organizational structure to other
for each functional area and business unit in business risks. companies of similar size, industry, and age.
the organization.
Management establishes reporting Review established reporting responsibilities
responsibilities for all organizational units. and written evidence of the discharge of these
reporting responsibilities during the period.
Inquire of key operating, financial, and legal
personnel as to their understanding of, and
compliance with, reporting responsibilities.
Review whether the risks associated with the

organization’s structure have been discussed
by senior management and the board (e.g.,
risks associated with legal entity complexities,
centralization vs. decentralization, span of
control, pace of business change and whether
the organizational structure is adapting, etc.).
Review whether the organization’s structure

facilitates the flow of risk information
upwards, downwards, and across the
organization.
Maintains Structure — management The organization develops and maintains an Review the organizational chart, including
maintains an organizational structure that organization chart that establishes roles and delineation of roles and reporting
facilitates effective reporting and other reporting responsibilities for all employees. responsibilities, and review the organization’s
communications about internal control process for updating the organizational chart.
among various functions and positions of The organization develops and maintains job Inquire of key employees in the internal control
management. descriptions for key positions. structure as to their understanding of roles
and responsibilities.
Review job descriptions for key employees,

including the organization’s process for
updating job descriptions. Inquire of key
employees in the internal control structure as
to their understanding of their job description.
Control Design
4. Organizational Structure: Basic Principle — The organization’s organizational structure supports effective internal control.
Maintains Processes — management’s The organization has established processes Review the organization’s process for
lines of reporting recognize the importance for periodically validating the reliability of periodically validating the reliability of
of maintaining processes for objective its information system and the accuracy, its information system and the accuracy,
verification of information generated from the completeness, and timeliness of the completeness, and timeliness of the
organization’s information system. information generated from that system. information generated from that system, and
reports generated as a result of this process.
Review deficiencies identified, and the
organization’s investigation, resolution, and
remediation of identified deficiencies.
5. Commitment to Competence: Basic Principle — The organization retains individuals competent in financial reporting, internal control,
and risk management, and related oversight roles.
Identifies Competencies — competencies A clear and transparent competency strategy/ Obtain and review the competency strategy/
that support effective financial reporting, plan exists that is aligned to the organization’s plan to verify that it exists, aligns to business
internal control, and risk management are business strategy and objectives. The strategy strategies and objectives, has been approved
identified. has been approved by executive management by executive management, and has been
and communicated. The strategy/plan should communicated as appropriate.
include the competency requirements for
activities that have been outsourced. The Review staffing levels and organization charts
plan should include methods for acquiring the and inquire with management to understand
competencies required. the methodologies used to assess that there
is sufficient staff to execute strategies and
Plans are in place to ensure the appropriate operating plans.
level of staffing.
From the organization charts, select a
Formal job/role descriptions exist that define sample of positions and review the job/role
tasks and competencies for each position. descriptions to ensure that the right level of
Job/role descriptions (and experience) should competencies have been articulated to fulfill
include both skills and behaviors necessary the assigned tasks of the position. Do the
to complete the assigned work. For each skills seem appropriate and competencies
competency, the desired level of competency (and experience) reasonable and consistent?
should be articulated. It is recommended that the sample include
key leadership, management, and supervisory
positions particularly as they relate to
financial reporting, risk, and control.
Control Design
Retains Individuals — the organization Individuals are placed in positions based on For recent hires, obtain the incumbents’
employs or otherwise utilizes individuals who the fit of their competencies (and experience) curriculum vitae or résumés to ascertain
possess the required competencies in financial to the job requirements as defined by the job that there is an appropriate match of their
reporting, internal control, compliance, and descriptions. competencies to the job position. Consider
risk management. competencies, background, education, and
In filling key management positions, broad experience. Inquire with management about
functional experience should be a goal. the adequacy of the selection process.
Consideration is given to competency of In reviewing the key management job

service providers when outsourcing activities. descriptions of incumbents, ascertain that
there is broad functional experience rather
There should be a plan to cross train than over-weighting from one or two functional
management and staff to provide areas. Inquire with management about the
understanding of other functions impacting alignment of current skills and competencies
their specific duties and for back-up. of incumbents given ongoing business
changes, risks, and current operational
Plans are in place to ensure adequate staffing performance.
levels are maintained.
Review outsource agreements/arrangements
Succession plans for key positions exist and to ascertain that competencies were given due
individuals identified in those succession consideration in selecting the service provider
plans have the required competencies or plans (pre-qualification). Ensure that provisions
exist to develop those competencies. exist requiring the service provider to maintain
the necessary competencies. Assess whether
There is a process in place to obtain the process for monitoring competencies is
assistance for highly complex technical effective.
matters.
Obtain training plans and ascertain that cross
Hiring of individuals includes background training is being included in training plan
checks and references, etc. strategies.
Inquire of external auditors their perception

of capabilities and staffing levels within
the financial reporting and key governance
functions within the organization. Review
audits completed by external parties
(regulators, contract, environmental, etc.).
Control Design
Were competencies evaluated and if so what

were the conclusions/ recommendations?
Review succession plans for key positions.

Ensure that training development plans
and competencies of potential succession
planning candidates generally align to job/role
requirements.
Inquire with finance staff and independently

with external auditors to determine how past
needs for technical assistance/confirmation of
accounting procedures were handled.
Evaluates Competencies — needed There is a competency assessment approach Obtain and review the adequacy of procedures
competencies are regularly evaluated and and guidance that is documented and updated for assessing individual competencies. Select
maintained. regularly. The approach is designed to identify a sample of management and staff and review
competency gaps and establish written assessments, plans to address gaps, and
development plans to address gaps within progress made to date. Review the reporting
a reasonable timeframe and a monitoring/ system, and conclude on whether people
reporting system to ensure that the gaps are collectively are progressing adequately in
addressed. addressing competency gaps.
For individuals in key financial reporting, risk, For key individuals, review documentation that
and control functions, the board annually this was completed.
assesses their competencies.
Review those business processes where
Annual assessments of competencies and surprise risk events, material weakness,
performance of both organization and or deficiencies occurred to determine if
outsourced service provider employees is in competency assessments were properly
place. carried out.
Skills noted in job descriptions are part of the Review a sample of performance appraisals
regular annual employee performance review. to determine whether skills noted in job
descriptions are indeed part of employees’
annual performance appraisal and whether
compensation adjustments differ for
employees performing the same skill at
various levels of competency.
Control Design
6. Authority and Responsibility: Basic Principle — Management and employees are assigned appropriate levels of authority and responsibility to
facilitate effective internal control.
Board Oversees Internal Control and Legal entity board and committee Obtain and review the organization’s legal
Risk Management — the board oversees structures, bylaws, and/or charters set documents to ensure that proper oversight
management’s process for defining forth responsibilities for the oversight and roles exist and are documented.
responsibilities for internal control and risk evaluation of management’s principal roles
management. and responsibilities for risk management and Review board meeting agenda and minutes
internal control. to ascertain that appropriate oversight
discussions are taking place.
Board meetings should regularly include
discussions on the effectiveness of
management’s roles and responsibilities for
risk management and internal control.
As a result of discussions, the board should

make recommendations on realignment where
necessary.
Defined Responsibilities — assignment of The board delegates authorities and Review completeness of process for defining
responsibility and delegation of authority are responsibilities to the CEO who in turn responsibilities and delegating authorities.
clearly defined for all employees involved in delegates authority and responsibilities to
the internal control and risk management, appropriate individuals in the organization. Evaluate appropriateness of criteria for
compliance, and financial reporting processes. These delegated authorities and assigned delegating authorities.
responsibilities should be formally
documented. Through inspection, verify that key
management has appropriate documented
For key management positions, the board authorities. By interview, ascertain that
reviews and approves descriptions of the management understands its authorities and
positions’ responsibilities and authorities, responsibilities.
and considers how those positions affect the
strength of internal control. Verify that authorities are reviewed and
adjusted where appropriate periodically.
The evidence for assignment of authorities
can be in the form of a delegated authorities Review employee surveys (or conduct a survey
matrix, written job descriptions, or individual if not conducted by others) to determine
authority grant letters. Employees should whether authorities and responsibilities were
clearly understand their authorities and clearly communicated and understood.
responsibilities.
Control Design
When management assigns authority and

responsibilities to key individuals, it considers
the impact on the effectiveness of the
control environment and the importance of
maintaining effective segregation of duties. A
defined set of criteria should exist upon which
management bases level of authority.
When delegating levels of authority and

responsibility, management establishes an
appropriate balance between the authority
needed to “get the job done” and the need to
maintain adequate internal control over key
business processes.
Authority levels should be reviewed

periodically to ensure they are appropriate.
Employees are empowered to correct problems

or implement improvements in their assigned
business processes as deemed necessary.
Empowerment to take these actions is
accompanied by pre-approved levels of
responsibility and authority.
Management considers the nature of employee

positions within the organization when
assigning responsibilities to individuals or
determining certain levels of authority for
positions.
Control Design
Limit of Authority — assignment of authority As part of granting authorities, the Include verification of authority limits in
and responsibility includes appropriate organization process includes clear lines of testing above.
limitations. authority for approving transactions over a
specific dollar amount or in meeting certain During the review period for any significant
described characteristics. As dollar threshold events/ transactions, verify that the
increases, additional approvals from senior appropriate approval process and levels of
management are required, with the highest approval were followed.
dollar thresholds reserved for CEO and board
approval.
There is a process in place to monitor

compliance to authority levels and a
remediation process in those cases where
authorities are exceeded.
Control Design
7. Human Resources: Basic Principle — HR policies and practices are designed and implemented to facilitate effective internal control.
Establish HR Policies — management HR policies and procedures exist. These are Obtain and review the organization’s HR
establishes HR policies and procedures that reviewed and approved by the board and policies and procedures to ensure that
demonstrate its commitment to integrity, implemented by management. The policies they are complete, current, and approved
ethical behavior, and competence. and procedures are documented and thus appropriately.
provide evidence of the control process.
Review most recent employee survey content.
HR policies and procedures are periodically Did it ask employees to evaluate quality/
reviewed, updated where necessary, effectiveness of the policies, procedures, and
and signed off/approved by appropriate practices? Where improvement opportunities
individuals. exist, what is the status of the actions? Were
the results summarized and reviewed with
An effective policy exists for disseminating senior management and the board?
the HR policies and procedures and employees
understand them.
Newly hired employees receive a copy of the

policies and procedures and all employees
receive updates.
Periodic employee surveys are conducted to

assess employee understanding of HR policies
and procedures and whether they have been
effective in achieving HR objectives.
Control Design
Recruiting and Retention — employee Management establishes and enforces Include review of recruiting/retention
recruitment and retention for key positions are standards for hiring qualified individuals procedures when completing above review.
guided by the principles of integrity and by the consistent with job description requirements.
necessary competencies associated with the Verify that screening procedures are being
positions. Policies over conflicts of interest regarding followed.
employment relationships such as those
involving family members or personal For recent hires into key positions, verify that
relationships among co-workers are in place the new hire meets the position requirements.
and enforced.
Review exit interview documentation. Verify
Recruiting practices include formal, in-depth that follow-up action was appropriate.
employment interviews. Screening procedures,
including reference checks, resume review, Obtain and review succession plans for
and background checks are employed for job key positions. Ensure they are periodically
applicants, particularly those applying for key reviewed and approved.
management positions.
Review turnover statistics and trends. Were
Interview and screening practices comply with results outside reasonable range analyzed and
local employment, human rights, and privacy discussed at an appropriate level?
laws/regulations.
Assess whether HR or another management
The organization develops and maintains area reviews turnover levels. Independently
position descriptions that reflect its values review turnover data regarding overall
and the competencies needed to fulfill the turnover, turnover of recent hires, and turnover
position requirements. The job descriptions of key positions or competencies. Inquire
contain specific references to control related further about potential root cause of excessive
responsibilities. or unexpected or unexplained turnover.
The organization performs exit interviews with

those leaving the organization and inquires
about any concerns related to internal control.
Retention strategies include formal

succession plans. The organization should
have a documented succession plan for key
management positions. Succession plans
should be updated periodically and approved
by the CEO and board.
Control Design
Adequate Training — management supports Training programs exist to enforce and Obtain and review training and development
employees by providing access to the tools promote ethical behavior and internal control. programs to ensure they address key
and training needed to perform their roles. elements.
A training program should include
identification of the knowledge, skills, and Verify that the program includes steps to
competencies necessary to perform their evaluate employee effectiveness and to set a
roles. Individual training needs should be plan to close any identified gaps.
documented in a training plan.
Inspect training plans for several key
The ongoing training process enables people management team members to verify
to effectively deal with evolving business existence. Evaluate progress in closing “gaps.”
environments.
Review budgets to ensure that there are
Training includes development and coaching in adequate resources (e.g. time, people, funds,
leadership and interpersonal skills. equipment) to achieve the development plans.
Review actual spending to ensure that the
Management supports employees by providing employees are availing themselves of the
them the tools and resources necessary to training.
perform their jobs.
Review the organization’s supplemental
education program if one exists.
Sample employees regarding the adequacy

of internal training and the value add
of the training for enhancing skills and
competencies.
Control Design
Performance and Compensation — A performance management process that Obtain and review organization’s documented
employee performance evaluations and includes objective setting, assessment, and performance management process. Verify that
the organization’s compensation practices, reward exists. key elements exist.
including those affecting senior management,
support the achievement of internal control The organization’s compensation/incentive For key management (particular emphasis
objectives. plan for senior executives is balanced among on executive) verify that performance
achievement of financial and non-financial management process was performed as
goals and is not over-weighted to achievement required.
of quarterly financial results.
Review board meeting minutes and other
The performance management process documentation to support its review and
includes steps to confirm awareness of approval of performance and rewards.
an employee’s progress to achievement of
objectives during the performance period. Verify that compensation changes, incentive
comp awards, and stock grants made are
Performance reviews are conducted annually consistent with board approved amounts.
and signed by the employee and respective
manager. The documented review is evidence Review information packages to the board
of the performance review and is retrievable. to ensure that it is getting appropriate
information for benchmarking compensation
Performance evaluations and compensation and awarding incentives.
to include incentive compensation for key
management are reviewed by the board before Review processes used to develop and compile
administration/payout. compensation information and identify that
assurance activities cover all important
Compensation programs are benchmarked in activities.
the market and by industry periodically. The
board is apprised of such benchmarks. Review actual compensation paid and
incentive awards made to approved amounts
The board is assured of the integrity of and pay guidelines.
incentive program information systems and
that information used to award incentive
compensation is reliable.
Authors
Parveen P. Gupta
Philip D. Bahrman, CIA
Joseph Carcello, CIA
Norman Marks
James A. Rose, CIA
Erich Schumann, CIA
Natarajan Girija Shankar, CIA
Reviewers
Carlos Alberto Reyes, CIA
Maria E. Mendes, CIA, CCSA
Lynn C. Morley, CIA
detailed processes and procedures, such as tools Copyright ® 2011 The Institute of Internal
part of the Strongly Recommended category of
guidance, compliance is not mandatory, but it
is strongly recommended, and the guidance is
approval processes. For other authoritative guid-
ance materials provided by The IIA, please visit
our website at www.theiia.org/guidance.

247 Maitland Ave. F: +1-407-937-1101
– Practice Guide
BUSINESS
CONTINUITY
MANAGEMENT
AUGUST 2014
Table of Contents
Executive Summary ........................................................................................ 1

Introduction ................................................................................................... 2
Internal Audit Roles and Engagements .......................................................... 4
Internal Audit’s Evaluation of Key BCM Elements ........................................... 5
Internal Audit Activities Before a Crisis.......................................................... 7
Internal Audit Activities During and After a Crisis .......................................... 7
Appendix ....................................................................................................... 9
Authors & Reviewer...................................................................................... 23
www.globaliia.org/standards-guidance /
Executive Summary
Business continuity management (BCM) prepares orga-
nizations for future incidents or crises that could inter-
fere with the achievement of business objectives. Crisis
management (CM) is a key component of BCM and
deals with communicating pertinent information about
the crisis to the organization’s stakeholders.
Internal audit’s breadth and depth of skills and qualifica-

tions, position in the organization, and in-depth knowledge
of organization-wide operations position it well to make
meaningful contributions to the development, implemen-
tation, and assessment of an organization’s BCM and CM
initiatives. Internal audit may perform a variety of key and
supporting roles, depending on the existence and/or matu-
rity of BCM and CM initiatives, as well as the severity and
circumstances of the crisis.
Internal audit’s roles may involve assurance and advisory

services before, during, and after a crisis. Assurance and
advisory services both require expert knowledge of key
BCM elements including program governance, risk man-
agement, business impact analysis, and business continu-
ity and recovery planning (BCRP).
• Assurance engagements may be performed to verify

that BCM and CM are effective.
• Advisory services may be performed to help
management focus planning activities and coordinate
BCM and CM with risks and controls.
During a crisis, internal auditors also may be expected and
authorized to perform critical non-auditing roles to serve
the needs of the organization.
Introduction A well-communicated and comprehensive CMP may

help organizations effectively navigate through a crisis
The IIA Global Technology Audit Guide (GTAG) 10: and related risks. Moreover, a CMP may improve an or-
Business Continuity Management speaks to the impor- ganization’s resilience in the face of crisis. CM tools and
tance of BCM, serves as a valuable reference for the key programs, when built thoughtfully, validated periodically,
components of an effective BCM program, and provides and advocated and approved by management and/or the
direction for the continuity of critical IT infrastructure board, will enable organizations to manage events and
and business applications systems during and after a cri- mitigate risks to minimize overall operational, financial,
sis. This practice guide expands on Business Continuity reputational, regulatory, and legal exposure for key inter-
Management by exploring auditors’ potential roles in cri- nal and external stakeholders.
sis management and providing guidance on:
Related IIA Standards and Guidance
• Internal audit activities before, during, and after The International Standards for the Professional Practice
a crisis. of Internal Auditing (Standards) related to BCM and CM
• Internal audit’s evaluation of key BCM elements. include:
Practice aids provided in the appendix include a risk
Standard 2100: Nature of Work
assessment checklist, sample audit programs, a glossary,
and references. The internal audit activity must evaluate and contribute
to the improvement of governance, risk management, and
Business Significance and Related Risks control processes using a systematic and disciplined ap-
proach.
All organizations will eventually face business interrup-
tions. A well-defined BCM/CM plan is like an insurance Standard 2110: Governance
policy for the organization — it helps to ensure that the
organization will continue to be viable and meet stake- The internal audit activity must assess and make appro-
holder expectations. The BCM/CM plans also can propriate recommendations for improving the governance
vide internal audit with a venue to continually update process in its accomplishment of the following objectives:
and communicate effective risk management and control
throughout the organization. • Promoting appropriate ethics and values within the
organization;
Crisis management plans (CMP) consolidate preventive • Ensuring effective organizational performance
and reactive risk management measures for acute crises management and accountability;
situations. Deficient, poorly constructed or communi- • Communicating risk and control information to
cated CMPs with inadequate testing or training may el- appropriate areas of the organization; and
evate organizational risks from a crisis to unacceptable
levels. CMPs developed post-crisis rely primarily on the • Coordinating the activities of and communicating
recent crisis to drive content development and may not be information among the board, external and internal
comprehensive enough to be effective. For public sector auditors, and management.
organizations, including governments, exposures due to a
crisis or incident may have broader local and international
implications.
Standard 2120: Risk Management business represents governing agencies, critical public op-
The internal audit activity must evaluate the effectiveness erations, public safety, and the security of its constituents.
and contribute to the improvement of risk management
processes. Key components of BCM include:
Standard 2400: Communicating Results • Management Support – Management shows

support to appropriately prepare, maintain, and
1. Internal auditors must communicate the results of exercise a business continuity plan (BCP) by assign-
engagements. ing adequate resources, people, and budgeted funds.
Definitions of Key Concepts • Risk Assessment and Risk Mitigation –
BCM is the process by which an organization prepares for Potential risks due to threats such as fire or flood,
future incidents or crises that could jeopardize the organi- are identified, and the probability and potential im-
zation’s core mission and its short- and long-term ability to pact to the organization are determined. This is done
continue operations and meet stakeholder expectations. at the site and division level to ensure that the risks
CM, considered a key component of BCM, addresses of all credible events are understood and managed
how the organization will inform the general public, its appropriately.
staff, its business partners, and various stakeholders of a • Business Impact Analysis (BIA) – Identifies
disaster or crisis and the steps being taken to resume busi- business processes that are integral to keeping the
ness operations and minimize internal/external stakehold- business unit functioning in a disaster and to deter-
er impact. A CMP is a consolidated portfolio of activities mine how soon these integral processes should be
consisting of preventive and reactive measures executable recovered following a disaster.
by any organization to effectively mitigate and manage • Business Recovery and Continuity Strategy –
risks created by a crisis or event. Addresses the actual steps, people, and resources
required to recover critical business processes. This
Business Continuity Management also should identify key communication mechanisms
BCM is a risk management approach based on business and protocols. The strategy may consider company or
value. It aligns business continuity capabilities with risks. industry benchmarks and standards.
The goal of BCM is to enable any organization to restore • Plan Awareness and Training – Education and
critical operational activities, manage communications, awareness of the BCP are critical to the execution
and minimize financial and other effects of a disaster, of BCM. Training also may include performance of
business disruption, or other major event. BCM is a sim- exercises and/or practice drills for portions of the BCP.
ple matter of risk management designed to create busi-
• Maintenance – The BCM capabilities and docu-
ness continuity capabilities to match likely risks based on
mentation are maintained to ensure that they remain
business value. While terminology in professional litera-
effective and aligned with business priorities.
ture may vary, the term BCM in this practice guide ad-
dresses the overall policy/model/framework for managing
various types of service interruptions that can be triggered
Crisis Management
by events internal or external to the organization. This CM is a key component of BCM that is triggered when
definition also may apply to public sector organizations the disruption of business service rises to the level of a cri-
such as governments. For these organizations, the term sis or disaster. CM documents methods used to respond
to the reality and perception of crises. CM also involves

establishing metrics to define what scenarios constitute
Internal Audit Roles and
a crisis and should consequently trigger the necessary Engagements
response mechanisms. It consists of the communication
that occurs within the response phase of emergency man- Internal Audit’s Role Defined
agement scenarios. Internal auditors are positioned to contribute to crisis
management by providing organizations with practical in-
Types of Interruptions sights into operations. The chief audit executive (CAE)
BCM seeks to manage internally and externally generated should define internal audit’s roles before, during, and af-
threats. Each threat can have varying degrees of impact ter a crisis, taking care not to assume responsibility for
on the organization’s business processes, which could the ownership or management of crisis-related risks. Of-
adversely affect regulatory compliance, personnel safety, ten, the internal audit function may have a seat at the
protection of the environment, the ability to maintain op- table during the crisis management planning process. As
erating standards and satisfy contractual requirements, an initial action, the CAE, along with key internal audit
and the organization’s brand/reputation. Types of inter- management, should become familiar with leading BCM
ruptions include: practices through external references and standards. Re-
sources are provided in Practice Aid III of this guide.
• Cyberattack. Once roles are developed, they should be documented
and communicated within the function and to key exter-
• Disease/pandemic.
nal stakeholders who will be directly impacted.
• Earthquake/tsunami.
• Fire. If internal audit or the CAE do not have a role in the crisis
management process, the audit committee should be no-
• Flood.
tified to avoid gaps in expectations. When internal audit
• Hurricane/tornado. serves in an advisory role to management in the context of
• Labor disruption. BCP/CMP development, the potential impact on internal
audit’s independence and objectivity should be explicitly
• Production failure/outage.
addressed. As roles are identified, they should be approved
• Product contamination. by the CAE’s administrative and functional reporting lines
• Sabotage. and potentially documented in the internal audit charter.
• Service or product outage for key business
partners/vendors.
Advisory or Assurance Engagements
Regarding BCM
• System failure.
The internal auditor’s responsibility to add value and im-
• Terrorism. prove an organization’s operations and risk management
• Utility outage. efforts should extend to BCM assurance or advisory en-
gagements, depending on the maturity of the organiza-
tion’s BCM program. The inclusion of the internal audit
activity in BCM and CM planning or refinement process
may be key to the program’s success. This is especially the
case for organizations with a low level of maturity in this
space. Given its interaction with, and understanding of, See Practice Aid I for additional guidance on assurance
the needs of the organization’s board and executive man- engagement programs.
agement, internal audit can provide perspective and help
focus planning activities. Ensuring that key BCM focus Advisory Engagements
areas are aligned with board and executive management The focus of BCM can quickly turn toward the review
level needs is critical to success. and analysis of IT infrastructure because data access and
transfer are considered core business functions. However,
Assurance Engagements when providing BCM/CM advisory services, internal au-
Internal audit may perform periodic assurance engage- dit should consider broad organizational objectives and
ments to verify that the BCP and CMP are comprehen- risks and not limit the engagement’s emphasis to IT is-
sive, relevant to the current business operating environ- sues. BCM advisory engagements should not compromise
ment, and communicated to the appropriate internal and internal audit’s objectivity. Care should be taken not to ac-
external stakeholders. The frequency, nature, and extent cept responsibility for ownership or management of busi-
of work performed will be driven by risks or requests from ness continuity risks.
stakeholders to validate the effectiveness and relevance of
planned efforts.
Internal Audit’s Evaluation of
The scope of assurance engagements may include a com- Key BCM Elements
prehensive BCM program or specific elements (e.g., test-
ing the occurrence and update frequency of the BCP, and BCM programs include common elements such as pro-
the maturity of the CMP). Internal audit’s knowledge of gram governance, risk management, business impact anal-
the risks mitigated by the BCP or CMP and prior involve- ysis (BIA), and business continuity and recovery planning
ment in an advisory capacity during plan development may (BCRP). It is critical that each element involve the right
promote a more efficient engagement planning process. sponsors, stakeholders, and business partners to help en-
sure the development of a comprehensive, supported, and
Assurance engagements may include: actionable plan. Overall communication elements within,
and information about, the plans should be shared with
• Requests for review by the audit committee or key stakeholders. Internal audit activity may include eval-
executive management on the BCM program or por- uating the effectiveness of BCM and the CMP.
tions thereof, including vendor or business partner
reviews. Program Governance
• BCM reviews to evaluate plan completeness, maturi- The key to successful BCM is the support and sponsor-
ty, and appropriateness based on organizational risks, ship of executive management. Internal audit can help
growth, or divestitures. identify and forge relationships between key internal
BCM stakeholders. The following activities may be per-
• Program risk assessments.
formed by internal audit during the initial stages of BCM
• Reviews of existing provisions of an organization’s or evaluation:
a business partner’s BCP/CMP as defined by con-
tractual terms (i.e., right to audit clauses or defined • Determining whether key leadership positions have
service-level agreements). been documented and approved to help ensure
ownership and accountability for the organization’s
programs. Leadership is critical to identifying plan Understanding key BCM risks can help strengthen the
interdependencies, promoting continuous improve- development of the proposed internal audit plan. Being
ment, and learning from post-crisis activities. exposed to the organization’s BCM activities helps the in-
• Recommending the development of a BCM charter. ternal auditor identify key exposure areas including orga-
The charter helps to establish program sponsorship nizational tone/support, operational control activities, and
and support within the highest levels of the organiza- core processes and potential systems/data/vendor depen-
tion. In addition to validating the BCM program’s dencies. Weakness or failures in these areas could prompt
existence, a well-defined charter establishes a BCM the internal audit function to focus resources on provid-
governance structure (i.e., BCM committee) and ing assurance or advisory engagements geared toward add-
guidance regarding periodic re-evaluation of the char- ing value and organizational improvement. Gathering risk
ter. A governance structure approves BCM or CM data helps guide internal audit’s plan and allows internal
decisions and provides a forum for visibility into or- audit to perform analyses to assess risk probabilities, im-
ganizationwide BCP or CMP development, revisions, pacts, comprehensiveness, and credibility. Practice Aid I
and associated internal and external communications. provides a sample risk assessment checklist.
• Evaluating whether an established BCM and CM

Business Impact Analysis (BIA)
governance structure is adequately funded, appropri-
ate, and effective in serving the needs of the board, Internal audit may provide guidance on how management
audit committee, or executive management. Internal can perform a BIA, a key component of BCM. A BIA will
audit may play a nonvoting member role or attend support the identification of key business assets, func-
meetings to provide feedback on the role, charter, tions, applications, partners, vendors, resources, and the
and efforts of such a body. eventual evaluation of potential loss to an organization
in the event of a crisis. GTAG 10: Business Continuity
• Communicating and advising on whether BCM
Management provides useful direction on performing a
governance appropriately and effectively serves the
BIA. The results of the BIA will likely drive the levels of
needs of the board, audit committee, and executive
pre-emptive actions, coverage, and risk appetite to be as-
management.
sumed by the organization. A BIA, if performed effective-
• Apprising the board (audit committee) of the risks ly, will outline critical operations, critical resources, and
associated with, and current best practices for, busi- processes — facility, personnel, and technology (includ-
ness continuity and CMPs. ing logical and physical security) — and may ultimately
drive investment priorities for a BCP and related CMP.
Risk Management Business Continuity and Recovery Planning

(BCRP)
For BCM to be effective, it must consider the relevant pri-
oritized risks facing an organization in the event of a crisis. BCRP provides a proactive method by which organizations
Internal audit often has a detailed understanding of core can identify business continuity and recovery measures to
business risks. Risks may be magnified and reprioritized manage and mitigate key organizational risks triggered by
during a crisis based on the nature and extent of events a crisis. Internal audit may provide advisory or assurance
facing an organization. Internal audit may share informa- services related to BCRP.
tion about key organizational risks during the establish-
ment and evaluation of BCM.
Internal Audit Activities Before During the Crisis:
a Crisis • Monitor and assess the organization’s response to

an event and be an active participant on the crisis
Internal audit’s evaluation of BCM, and specifically CMP, management team.
may help ensure that the CMP remains relevant to orga- • Monitor outage details for subsequent audits.
nizational priorities in the event of a crisis. • Serve on a crisis management committee to ensure
Included below are typical activities in which internal that risks associated with a crisis are understood and
audit may be engaged before a crisis: provide recommendations on alternate courses of
action to management, as appropriate.
• Share knowledge of leading developments for
BCM with executive management and the audit • Participate in the wider crisis management and
committee. recovery process for the organization, as agreed upon
and authorized.
• Specifically consider BCM as a risk facing the orga-
nization and consider residual risks in the develop- The Standards allow for these types of involvement provid-
ment of the annual audit plan. ed that the details of any potential impairment to internal
audit independence are disclosed to appropriate parties
• Evaluate key business partner arrangements for ap-
(e.g., audit committee and BCM leadership). Involvement
propriate contractual terms, including service-level
by internal audit may be greater during the initial stages
agreements, right-to-audit clauses, and requisite
of a crisis when support of the organization’s limited avail-
reporting to management regarding the partner’s
able resources is in high demand.
control environment.
• Advise management in its performance of BCM risk After the Crisis:
assessments or evaluate the accuracy of manage- • Evaluate and report on the effectiveness of the
ment’s BCM risk self-assessments. organization’s recovery efforts.
• Perform assurance engagements related to the BCP • Continue to assess risk, provide guidance, and help
and/or CMP, as part of the annual audit plan. Assur- develop business improvement efforts.
ance engagements may include evaluation of plan
components, communication protocols within the • Perform post-crisis reviews to identify opportunities
plan, and the operational aspects of the plan. for BCM activities and, specifically, for CMP
evolution.
• If not established by the provisions of the internal
audit charter or directives from the board, clarify and • Perform assurance engagements to evaluate whether
establish BCM roles for internal audit and the CAE. management performed and appropriately consid-
ered the results of root-cause analysis to update the
BCP and CMP, as needed. Participate in the orga-
Internal Audit Activities During nizationwide recovery process, as agreed upon and
and After a Crisis authorized per the BCP and CMP.
These activities are discussed in greater detail in the fol-
The headings below describe common activities that lowing pages.
internal audit may perform during and after a crisis.
Conduct Audits of the Recovery Processes Participate in the Broader Recovery Process
and Plan Effectiveness Internal auditors may be requested by organizational lead-
The disaster recovery plan, as a component of the BCM, ership to lend additional support to operational staff who
may include requirements for internal audit to conduct an are either:
audit of the recovery process. Where this is the case, this
additional work will need to be included in the initial draft • Working on recovery processes.
plan and may lead to changes to those priorities. • Working on revisions to normal business processes
as a result of the unavailability of IT systems.
Additionally, where such a role has not been specifically
assigned, the CAE should consider whether, following a • Using alternate defined procedures to carry out
risk-based assessment, he or she should recommend to activities for which normal processes have been
the BCP leadership team that particular aspects of data disrupted.
recovery and/or CMP should be audited. It will be important for the CAE to consider requests au-
thorized by the audit committee in advance of determin-
The types of audit work that might be undertaken include: ing internal audit’s BCP/CMP role. Additionally, when in-
ternal audit staff is released to assist with CM or recovery
• An end-to-end review of the recovery process (i.e., efforts, assigned duties should be carried out under the
whether it complied with the planned process and direction of operational management. To protect objectiv-
whether the plan proved to be detailed enough to ity, the CAE should consider the operational duties per-
deal with the issues that emerged). formed by internal auditors and avoid assigning them to
• An audit of the effectiveness of the recovery pro- future internal audit assurance activities in the same area.
cess, including performance against defined metrics
or plan components as well as effective and timely
internal and external stakeholder/business partner
communication.
• A review of controls and special processes intro-
duced outside the normal control framework and
potential impact on operational or financial risks for
the organization.
• An audit of management’s data recovery processes,
which may include examining key data reconcili-
ations performed by management to ensure data
completeness and accuracy.
• A review of actual BCP and CMP variations follow-
ing activation of the plans, including recommenda-
tions that will allow for effective plan evolution. This
also should apply to the internal audit activity’s own
plans.
Appendix plexity of the organization, the criticality of the business

line, and the risk and impact of possible business disrup-
Practice Aid I: Sample Work Programs for tion. Internal audit also should observe test exercises to
BCM Assurance or Advisory Engagements assess the control environment of alternative locations,
verify the results, assess that appropriate reporting and
The internal audit activity plays an important role in
escalation mechanisms are established and used, and
providing an independent review of the adequacy of the
evaluate whether test plans are updated to reflect prior
overall BCM. The depth and frequency of audit activi-
test results. An audit considers five common aspects of
ties and reporting should be scaled to the criticality of the
the BCM:
operation. While the scope of the audit activities and de-
liverables may vary, in all cases they must encompass an 1. Business environment and strategy.
independent and objective evaluation of the effectiveness
of the testing program. The internal audit activity should 2. BCP methodology and strategy.
determine the reasonableness of the underlying assump- 3. Business impact analysis (risk evaluation and
tions that were made in developing the testing program. controls).
The reasonableness of underlying assumptions, as well as 4. Recovery plan.
the adequacy of the test plan, scenarios, schedules, and
5. Awareness, testing, and training.
reports, should be evaluated relative to the size and com-
Example 1:
BCM SAMPLE WORK PROGRAM
SUB AREA ITEMS POSSIBLE CONSIDERATIONS
1. Business environment and strategy Industry 1. Key industry standards for BCM.
2. Legal requirements for industry in which the company
operates.
3. History of industry-specific vulnerabilities.
4. Listing of identified bodies and authorities (external
agencies).
External dependencies 1. Critical business partner relationships and stakeholder
dependencies are identified and considered (includes key
suppliers, vendors, and outsourced functions).
2. Key business partner contracts and service-level
agreements are identified and key provisions documented.
3. Right-to-audit clauses are periodically triggered, and
Statement on Auditing Standards (SAS) 70/Statement
on Standards for Attestation Engagements (SSAE) 16 or
equivalent business partner reporting is received (i.e.,
system validation exercises, including back-up recovery
capabilities and periodic security reviews).

2. BCP methodology linkage to business, Business strategy 1. BCP is based on the company’s business strategy.
operational, and financial strategy
2. All relevant entities and critical functions are considered
within this BCP.
Operational/technical 1. Both operational and IT are integrated.
strategy
2. BCM planning is considered in every relevant business
decision.
3. BCP/CMP responsibilities, including maintenance, are
incorporated in applicable employee job descriptions and
personnel evaluations.
4. BCP is updated, reviewed, and tested at a frequency
appropriate for risks, vulnerabilities, and value of business
functions.
Financial strategy 1. Adequate financial resources are made available for the
preparation and maintenance of a BCP.
3. Impact Analysis (includes business Tone at the top 1. Board of directors and senior management is supporting
impact analysis [BIA], risk evaluation, the BCM initiative.
and controls)
2. Senior executive is responsible for ensuring successful
implementation, maintenance, and update of plans
supporting BCM.
3. BCM policy/charter exists and is updated periodically.
4. BCM-related plans, including BCP and CMP, are approved
by board of directors and each appropriate level of
management.

Risk Assessment 1. A comprehensive impact analysis/BIA exists and is
prepared with the line of business input.
2. Various types of events that could prompt the formal
declaration of a crisis or disaster and the process for
invoking the BCP and CMP are clearly described.
3. Work flow analysis was performed and results are
documented, if deemed necessary by the organizational
leadership.
4. Prioritization of business functions is adequate.
5. Risk assessment includes impact and probability of
disruptions of all business, operational, and IT areas, and
considers acceptable downtime.
6. Procedures exist to execute the plan’s priorities for critical
versus noncritical functions, services, and processes.
7. Financial impact in case of emergency reflects accurately
the cost in case of emergency.
8. Reputation risks are considered and all relevant
stakeholders are considered in the BIA.
Mitigation 1. Adequate risk mitigation, including preparedness and
prevention strategies, have been considered, such as:
a) Alternative locations and capacity (ensure geographic
diversity).
b) Back-up of data, applications, telecommunications,
and other relevant data is ensured and procedures
exist.
c) Communication channels in case of emergency are
clearly defined (communication tree).
2. All critical personnel are identified and the contact list is
updated.
3. Employees understand their role in case of emergency.
4. Redundant vendor support is established.
4. Recovery plan Recovery point objective 1. RPOs are clearly defined and communicated.
(RPO)
2. RPOs consider the organization’s recovery needs.
Recovery time objective 1. RTOs are clearly defined and communicated.
(RTO)
2. Recovery time adequately reflects how much downtime the
organization is willing to tolerate.
3. BIA results are considered in defining RPO and RTO.

5. Awareness, testing, and training Testing policy 1. Within the BCP, the organization has set testing
requirements for the organizationwide continuity functions,
business lines, support functions, and CM.
2. Key roles and responsibilities are defined in the testing
policy.
3. Testing cycles with increasing levels of test scope and
complexity are defined.
Testing strategy 1. Testing strategy includes documented test plans and
related testing scenarios, methods, and schedules.
2. Expectations for testing internal and external
independencies are defined.
3. Testing strategy is in line with management’s assumptions
and expectations.
4. BCP is validated through annual or more frequent testing
cycles.
Testing observations 1. Tests are done without prior notice to employees. Internal
audit activity may observe management’s execution of test
exercises with focus on the following:
a) All relevant employees were available and received
timely communication.
b) Back-up facilities and resources satisfied the needs of
the business units.
c) Relevant back-up procedures worked as intended.
d) Key business partners were included in the testing.
e) Business processes were re-established in the
expected time frame.
2. Internal audit documents audit findings.
Post-testing 1. Gap analysis is performed by BCM leadership team.
2. Internal audit independently documents and communicates
audit findings, if any.
3. BCM findings or areas for improvement are addressed
and corrected; BCM leadership team discusses corrective
actions and communicates findings to appropriate
stakeholders. Such data may support the need for BCM
evolution or plan updates.

4. Conclusions regarding the testing program and whether it
is appropriate for the size, complexity, and risk profile of
the organization are documented pursuant to plan content.
5. Board of directors and/or executive management is
informed of testing results.
Training 1. All staff is trained and aware of their responsibilities.
2. Training details, such as content, participants, and timing
are documented.
Example 2:
Selected portions of the assessment below are completed to provide examples of potential content.
BCM RISK OR SELF-ASSESSMENT

ITEM STATUS ASSESSMENT NOTES
PURPOSE, SCOPE, AND OBJECTIVES
Define program Is the BCM program Yes Yes — overall program scope
documented to define? established and documented.
• BCM purpose, scope, and
objectives.
• BCM procedures.
• BCM resources, roles, and
responsibilities.
• BCM measurement and
verification.
• BCM continual improvement.
Does the BCM scope cover No All facilities not addressed.
the entire operation, including
all business processes and
operations, as well as related
facilities and workforce that
are the responsibility of the
company?
PROCEDURES
Risk assessment Has a BCM risk assessment NI Greater formalization and
Designed to identify been conducted for the (Needs improvement) documentation needed.
threat scenarios (credible organization?
events) that could disrupt
business. To successfully
complete this BCM risk
assessment, those who are
Did the risk assessment NI Consider regional events.
knowledgeable of threats to
consider these categories of
the organization, environment,
risks:
and region should participate.
Participation may include • Natural hazards.
those from security staff, • Militant/people.
facilities staff, etc.
• Human factors/IT.
• Operational.

A site-based BCM risk Were risk mitigation strategies
assessment should be identified?
completed and shared with Were risks mitigated?
applicable facility/location
tenants. Did you align your BCM risk
assessment (e.g., disaster
scenarios) with other
organizations at your site?
Business impact analysis Has a BIA been conducted for
(BIA) the organization (including all
Identifies critical business business teams)?
processes that need to be Were critical business
recovered following a disaster processes identified?
event. After completing the
Has your leadership team
BIA, identify recovery solutions
approved the list of critical
needed to resume the critical
business processes identified
business processes.
during the BIA and the
associated proposed recovery
solutions?
Recovery solutions Have the recovery solutions
Recovery solutions are and resource requirements
developed and a list of the been identified for each critical
resources needed to support process?
the CM (recovery) efforts of Have all teams documented
the organization and/or team the resources required to
are created. recover critical business
processes?
Have the IT requirements been
assessed?
Written plans Has a written BCP been
prepared that includes all
business teams, critical
business processes, and
organizational CMP?

Service-level agreements Have SLAs and/or an MOU
(SLAs), memorandum of been established for:
understanding (MOU), and • Office space (with facilities
contracts management)?
• IT/communications (with IT
provider)?
• Data restoration (with IT pro-
vider)?
• Other third-party contracts?
Has action been taken to
protect company interests
when third-party contracts
include a “force majeure”
clause?
Alignment Do you participate in
multitenant, multisite
coordinated planning?
Has your organization
established an emergency
communications plan,
including accounting for all
staff?
Have you aligned the BCP with
CM and emergency response?

Training and exercise Have the BCM executive
and BCM manager received
training?
Has the BC coordinator been
trained?
Have all members of the
BCM team received training
pertaining to their roles and
responsibilities?
Are key BCM activities
exercised on an annual basis
or more frequently?
• Notification drill.
• Table top exercise.
• Functional exercise.
• Full scale exercise.
RESOURCES, ROLES, AND RESPONSIBILITIES
Staff supporting BCM Have you verified that
alternative staff who will
perform critical work have
the capabilities (knowledge,
access, etc.) to perform these
functions?
BCM executive Has the organization’s
Serves as organizational leadership team identified a
advocate for BCM (including BCM executive?
alignment with the leadership Does the BCM executive have
team), supporting the access to the leadership team?
creation and adoption of BCM
Are funding, personnel, and
plans through the effective
resources adequate?
coordination of funding,
personnel, and consideration Has BCM been coordinated
of the organization’s business with other organizational
plan and risks. processes and linked to the
organization’s business plan?

BCM manager Has an organizationwide BCM
manager been identified?
Does the BCM manager
coordinate and lead the
implementation of BCM?
Does the BCM manager ensure
cross-functional resources are
available and appropriately
engaged when needed?
Does the BCM manager
ensure the effectiveness and
efficiency of CM is measured,
verified, and periodically
reviewed for improvement
opportunities?
BCM coordinator Has an organizationwide BCM
coordinator been identified?
Does the BCM coordinator
manage business continuity
planning at the organization,
business unit (BU), regional
BU, or other sub-level?
Does the BCM coordinator
participate in multitenant,
multisite coordination
activities, as appropriate?
MEASUREMENT AND VERIFICATION
Are measurement and
verification processes in
place to verify annually that
requirements of BCM have
been addressed in a way
that is aligned with current
business needs?

CONTINUAL IMPROVEMENT
Have the IT requirements
been validated, including
IT requirements needed to
support relocation planning,
network or remote access,
local or central data, etc.?
Are measurement and
verification processes linked
with continual improvement
processes?
Do you track actions required
to resolve BCM gaps identified
during the BCM exercise to
ensure timely completion?
Do you have a process in place
to reassess the effectiveness
of your BCM program?
Practice Aid II: Glossary of Key Terms Incident – an event that is not part of operational stan-
dards, which may temporarily impact a business and in
Business Continuity Plan (BCP) – the ability to plan
some cases could lead to an emergency or disaster.
for the continuity of critical business processes; protect
critical assets; and provide service and support to custom-
Impact Analysis – a process to analyze key operational
ers in the face of a crisis, disaster, incident, or emergency.
functions or critical data with a view to understand poten-
Such a plan allows an organization to recover effectively
tial internal or external impact of potential loss/disruption.
from, and manage risks associated with, a crisis. This is
Impact analysis includes Business Impact Analysis (BIA),
often included in a crisis management program.
which involves the identification of critical business as-
sets, functions, and resources, as well as an evaluation of
Business Continuity and Recovery Planning (BCRP) –
the potential damage or loss that may be caused to the
a proactive method by which organizations can identify
organization resulting from a disruption or a change in the
business continuity and recovery measures to manage and
business or operating environment. A BIA should identify:
mitigate key organizational risks triggered by a crisis.
a) sources of damage, interruption, or loss; b) the extent to
which time passage will magnify the potential damage, in-
Crisis – an event that, if not handled appropriately, may
terruption, or loss; c) the level of services or resources re-
significantly impact an organization’s ability to operate,
quired to sustain core business activities; and d) the time
remain profitable, and manage reputational risk. Com-
line during which all critical business assets, functions,
monly, these are natural or physical disasters, failures of
and resources should be restored to avoid permanent sig-
critical operations and/or connectivity, disruptions to key
nificant loss for the organization.
business partner relationships, and technology exposures.
Recovery Point Objective (RPO) – the point in time to
Crisis Management Program (CMP) – a consolidated
which systems and data must be recovered after an outage
portfolio of activities consisting of preventive and reac-
(e.g., end of previous day’s processing). RPOs often are
tive measures executable by an organization to effectively
used as the basis for developing backup strategies and to
mitigate and manage risks implied by a crisis or event. A
determine the amount of data that may need to be recre-
CMP often will include a business continuity plan and a
ated after the systems or functions have been recovered.
disaster recovery plan.
Recovery Time Objective (RTO) – the period of time
Disaster – a sudden, unplanned catastrophic event caus-
within which systems, applications, or functions must
ing unacceptable damage or loss. This may include events
be recovered after an outage (usually one business day).
that compromise an organization’s ability to provide critical
RTOs often are used as the basis for developing recovery
functions, processes, or services. This is an example of an
strategies and to determine whether to implement those
event in which business continuity and/or disaster recov-
strategies during a disaster situation. Maximum allowable
ery plans often are activated as part of an overall CMP.
downtime is a commonly associated term.
Emergency – an unplanned, impending incident or
Risk Assessment/Analysis – the process of identifying
situation that may cause injury; loss of life; destruction
the risks to an organization, assessing the critical func-
of property; or interference, loss, or disruption of normal
tions necessary for an organization to continue business
business operations. Such events may escalate into a cri-
operations, defining the controls in place to reduce or-
sis if not controlled or managed.
ganizational exposure, and evaluating the cost for such
controls. Risk analysis often involves an evaluation of the • Disaster Recovery Institute (www.drii.org), Profes-
probabilities and likelihood of a particular event. A crisis sional Practices for Business Continuity Planners
is an example of an event. (2008). A widely used framework that includes
information on: 1) program initiation and manage-
Practice Aid III: BCM Standards and ment, 2) risk evaluation and control, 3) business
Guidance Resources impact analysis, 4) business continuity strategies, 5)
emergency response and operations, 6) business con-
Numerous resources provide standards and guidance re-
tinuity plans, 7) awareness and training programs, 8)
lated to BCM. Resources include frameworks and ma-
audit and maintenance, 9) communications, and 10)
turity models to benchmark the internal auditor’s role in
coordination with external agencies.
supporting the business continuity plan (BCP) and crisis
management plan (CMP) development life cycles. Many • Federal Financial Institutions Examination Coun-
resources may serve to educate internal audit staff and cil (www.ffiec.gov), Business Continuity Planning,
provide an opportunity for knowledge sharing with orga- IT Examination Handbook (2008). The handbook
nization management that are seeking to build, adjust, or includes seven elements: 1) board and senior man-
validate BCM efforts. Resources as of April 2013 include: agement responsibilities, 2) business continuity
planning process, 3) business impact analysis, 4) risk
• The Institute of Internal Auditors’ International assessment, 5) risk management, 6) risk monitoring
Standards for the Professional Practice of Internal and testing, and 7) other policies, standards, and
Auditing (Standards) and related guidance processes.
(www.theiia.org), including: • The Business Continuity Institute’s (www.thebci.
o Global Technology Audit Guide 10: Business org) Good Practice Guidelines (2010). The guidelines
Continuity Management. This guidance includes: include six elements: 1) policy and program manage-
1) common disaster scenarios, 2) management ment, 2) embedding CM in the organization’s cul-
roles during business interruption, 3) disaster ture, 3) understanding the organization, 4) determin-
recovery solutions, 4) risk assessment and mitiga- ing CM strategy, 5) developing and implementing a
tion, 5) business recovery and continuity strategy, CM response, and 6) exercising, maintaining, and
and 6) CM plan testing. reviewing.
o 2010 GAIN Survey and Results–Crisis Manage- • International Organization for Standardization (ISO)
ment. (www.iso.org) guidelines:
o Audit Executive Center’s 2011 Knowledge Alert– o ISO/Publicly Available Specification (PAS) 22399,
Three Crisis Management Imperatives for CAEs. Societal Security–Guideline for Incident Prepared-
• ANSI/ASIS/BSI CM.01:2010, Business Continuity ness and Operational Continuity Management
Management Systems–Requirements With Guidance (2007). “Provides general guidance for an orga-
for Use (2010). Collaboration between the American nization (private, governmental, and nongovern-
National Standards Institute (ANSI), ASIS Interna- mental) to develop its own specific performance
tional, and the British Standards Institute (BSI) to criteria for incident preparedness and operational
provide a framework of auditable criteria and accom- continuity, and design an appropriate manage-
panying guidance that can be tailored to meet the ment system.”
needs of organizations across their global operations. o ISO/IEC 24762, Guidelines for Information and
Communications Technology Disaster Recovery • Business Continuity Management Institute —

Services (2008). “Provides guidelines on the www.CM-institute.org.
provision of information and communications • Business Continuity Planners Association —
technology disaster recovery (ICT DR) services as www.bcpa.org.
part of BCM, applicable to both “in-house” and
• Business Resilience Certification Consortium
“outsourced” ICT DR service providers of physi-
International — www.brcci.org/index.htm.
cal facilities and services.”
o ISO 27001, Information Security Management
(2002). Assists organizations in developing an
information security management system that is
integrated, comprehensive, and incorporates glob-
ally recognized best practices.
o ISO 22301, Societal Security–Business Continuity
Management Systems–Requirements, which super-
seded BS 25999. Specifies generic BCM system
requirements applicable to all organizations or
parts thereof.
• British Standards Institute (www.bsigroup.com).
o PAS 200 (2011) advises organizations regarding
the types of activities and resources they need to
develop and maintain to allow for effective crisis
detection, preparedness, and response. This spec-
ification is sponsored by the U.K. Cabinet Of-
fice, and the crisis management specification has
been developed through consultation with several
leading U.K. businesses and public organizations.
This specification addresses the requirements for
CM, in addition to the guidance provided by BS
25999: Business Continuity Management and
ISO 27001.
o BS 25777: Information and Communications Tech-
nology Continuity Management–Code of Practice
(2008). “Provides recommendations for informa-
tion and communication technology continuity
management within the framework of business
continuity management provided by BS 25999-1.”
Several organizations mentioned above also provide BCP
education and certifications. Other organizations that of-
fer such training and certifications include:
Authors:
David Bentley, CIA
Brian Foster, CIA
Brian Peterson
Brian Reed, CIA
Erich Schumann, CIA, CRMA
Rita Thakkar, CIA
Benito Ybarra, CIA
Reviewer:
Steven E. Jameson, CIA, CCSA, CFSA, CRMA
guidance.

247 Maitland Ave. F: +1-407-937-1101
140455
Chief Audit Executives —

Appointment, Performance
Evaluation, and Termination
May 2010
Chief Audit Executives – Appointment, Performance Evaluation, and Termination
Table of Contents
Introduction................................................................................................................. 1
Executive Summary..................................................................................................... 1
Appointing a CAE......................................................................................................... 1
Attributes . ......................................................................................................... 2
Skills .................................................................................................................. 2
Evaluating CAE Effectiveness . ................................................................................... 3
Attributes . ......................................................................................................... 3
Skills .................................................................................................................. 3
Termination of the CAE................................................................................................ 4
The CAE Resigns, Retires, or Contract Period Expires ........................................ 4
The CAE is Terminated by the Employer ............................................................. 5
Detailed Internal Auditor Competencies...................................................................... 5
Introduction technical, business, communication, and people manage-

ment skills.
This practice guide discusses the types of considerations
senior management and boards of directors would typi- During the process of a CAE’s appointment and periodic
cally address when appointing, evaluating, or terminating evaluations, senior management and the board typically
a chief audit executive (CAE). CAEs may also want to will consider those attributes and skills. A CAE may want
have a good understanding of these considerations as they to consider them when evaluating his or her own perfor-
evaluate their own performance and how they support an mance and considering his or her development needs.
organization in their role.
The International Professional Practices Framework’s

APPOINTING A CAE
(IPPF’s) International Standards for the Professional Prac- When hiring a CAE, the board and senior management
tice of Internal Auditing (Standards) include attribute and will likely seek individuals who possess strong manage-
performance standards that help identify the attributes ment and leadership skills. While strong internal audit
and skills of an effective CAE. knowledge, technical skills and experience at the time
of appointment would be an advantage, they are not a
requirement if the internal audit staff collectively have
the requisite knowledge, skills and experience to deliver
Executive Summary internal audit services in accordance with the Standards.
However, it is strongly encouraged that all CAEs, either
In today’s business environment, where there is increas- before appointment or within a reasonable time period af-
ing focus on governance, risk management, and control, ter appointment, demonstrate a strong understanding of
appointing a CAE is a critical undertaking for any organi- the roles and responsibilities of internal audit, the IPPF,
zation. This imperative activity is one of the key respon- and audit technical skills through attainment of the Certi-
sibilities of the organization’s board. The CAE will have a fied Internal Auditor® (CIA®) designation. The key pro-
high degree of interaction with senior management and fessional and personal attributes are likely to be detailed
the board and thus needs to demonstrate the right attri- in the job description for the position and will generally
butes and skills for the position. make clear the reporting relationships with the board and
senior management. The board may request to meet with
The CAE’s unique role in the organization requires in- the CAE candidates before making a final hiring decision.
dependence and objectivity while also demonstrating an
ability to partner within the organization to add value to its Potential CAEs also need to demonstrate well-tuned soft
operations. Independence and objectivity are fundamen- skills, including the ability to:
tal to the CAE’s role because the individual must be will-
ing to raise difficult issues with both senior management • Accurately evaluate situations and instinctively do
and the board, even if that proves unpopular. To maintain the right thing in the face of opposition and conflict.
credibility, CAEs must demonstrate the ability to escalate • Demonstrate good judgment and strength of charac-
difficult issues to an appropriate level to ensure they are ter and bring forth issues in a balanced way.
adequately addressed. In addition, a CAE exhibits the • Present himself or herself as an astute business
attributes of integrity, intellectual curiosity, and a focus person, with excellent verbal and written commu-
on audit quality. Key skill categories for a CAE include
nication skills, a clear and analytical thinker, a good surance and improvement program and undergoing
facilitator and consensus-builder, and a creative internal and external quality assessments.
problem-solver and idea generator.
• Behave as an ethical professional who can be trusted Skills
always to operate at the highest level of integrity Solid Business, Technical, and Process Skills.
and to act on the strength of his or her convictions • To effectively evaluate risk, assess sufficiency of con-
regardless of the potential consequences. trols, identify process improvement opportunities,
For CAEs to be effective in today’s dynamic environments and effectively communicate with senior manage-
they must have the following essential attributes and ment and the board, the CAE must have a good
skills. understanding of the organization’s business process-
es and the structures used in the delivery of these
Attributes processes. Additionally, in today’s environment where
Independent, Objective, and Ethical. IT drives key business processes, the CAE needs
• The CAE should be both a partner to senior manage- to understand the organization’s IT environment to
ment in monitoring the organization’s ethical and identify and assess the magnitude of the IT-related
operational environment and an independent and issues facing the organization.
objective professional in assessing the results of man- Communication and Listening Skills.
agement’s work on behalf of the board. • The CAE must communicate in a concise, profes-
• The CAE must balance these two responsibilities sional manner to be effective in articulating risks and
and deliver an unbiased and equitable assessment opportunities to a broad spectrum of stakeholders,
under all circumstances. Uncompromising ethics, including the board, senior management, external
the ability to listen with an open mind, and the auditors, and regulatory agencies.
strength and integrity to be firm under pressure will • The CAE also must demonstrate excellent listening
enable the CAE to report to the board and senior skills during all exchanges with the various stake-
management evidence-based, objective findings of holders.
the internal audit work performed. People Management.
Intellectually Curious. • To build and sustain a successful internal audit team,
• The CAE should be a curious explorer, investigative which may include or consist of cosourced profes-
reporter, and avid analyst whose role it is to discover, sionals from an external service provider, the CAE
interpret, question, and challenge. This once again must be an effective leader and exhibit expert man-
enables the CAE to add value and to provide inde- agement skills. The CAE must be able to bring out
pendent and objective assurance and consulting to the best in people, while balancing differing needs of
all levels of the organization. professional growth, travel, and personal life.
Quality Focused. Before appointment, the CAE candidate may wish to
• The CAE should have a strong focus on the quality inquire whether the organization has an appropriately
of the internal audit activity achieving the highest constituted board and determine if they have the proper
level of professionalism. This includes adhering to safeguards in place to enable the CAE to carry out the
the IPPF, which requires establishing a quality as- duties of the position. This enables CAEs to fulfill their
responsibilities objectively without fear of reprisal and to • The CAE and his or her team have no direct authority
know that action will be taken by the board if required. to perform operational duties for the organization that
Without this safeguard, that CAE could be removed, conflict with the scope of the internal audit activity.
placed under duress, censored, or have his or her scope Intellectually Curious.
and resources reduced inappropriately by senior manage- • The CAE monitors the organization and its surround-
ment. ings regularly, and provides proactive audit responses
to changes in the risk environment (for example, new
EVALUATING CAE products and services, changes in regulation).
EFFECTIVENESS • The CAE incorporates the latest developments and

new ideas related to governance, risk management,
An effective internal audit activity will likely include the and internal controls into his or her practice where
board and senior management having in place a formal appropriate.
evaluation of the CAE’s performance on a regular (at least Quality Focused.
annual) basis. This evaluation could include criteria per- • The CAE ensures that work is performed in accor-
taining to the CAE’s required attributes and skills. The dance with all elements of the IPPF.
CAE may be required to review the criteria through a
• The CAE facilitates the monitoring of quality by
scorecard, which can be tied back to the internal audit
both continuous and periodic, internal and external
activity charter and the CAE’s job description.
quality assurance initiatives and addresses perfor-
mance gaps through monitored action plans.
CAEs should be prepared for their performance evalua-
tions to include the criteria described below. • The CAE incorporates feedback from the board, as
appropriate, to improve the quality of internal audit
Attributes services provided.
Independent, Objective, and Ethical. • The CAE routinely collects critical feedback from
• The CAE demonstrates objectivity in his or her ac- stakeholders to improve internal audit service and
tions and provides verbal and written reports that are ensure stakeholder expectations are continuously
clear, complete, and free from bias. assessed and met.
• The CAE communicates issues accurately and • The CAE has appropriate professional credentials,
timely, even when there is opposition and conflict in preferably holding the CIA designiation, and actively
doing so. encourages all internal audit staff to attain and main-
• The CAE provides a balanced perspective on topics tain such qualifications.
such as organizational risks and exposures and can
maintain positions in meetings even when they may Skills
be contrary to popular and forceful opinion. Solid Business, Technical, and Process
• The CAE is open and direct in his or her communi- Knowledge.
cation with the board and candidly expresses opin- • Adequate audit coverage is aligned with organization-
ions in executive sessions. al goals and documented in annual and long-term
internal audit plans.
Executive sessions are those where the CAE meets alone with the board without the presence of organization management.
1
• Internal audit plans are developed and documented • The CAE candidly expresses opinions to senior
using a risk-based methodology to ensure they are management and can maintain positions in meetings
focused on the right areas, performed on the right even when they may be contrary to popular opinion.
cycle, and with the right scope. • The CAE holds regular meetings with other stake-
• The CAE has a thorough understanding of the holders for purposes of debriefing, sharing informa-
business and related risks and ensures resources tion, and ensuring ongoing coordination.
are deployed to maintain appropriate risk coverage People Management.
throughout the year. • The CAE maintains adequate resources to discharge
• The CAE requests appropriate board and senior responsibilities and manages turnover to appropriate
management input to the internal audit plan. levels.
• The CAE works effectively with the external audi- • The CAE has available, or acquires, resources with
tor and other stakeholders to ensure sufficient and the professional proficiency and business knowledge
efficient risk coverage. required to execute the audit plan.
• Plans are monitored and amended as the business • The CAE effectively uses expertise of other depart-
environment and risks change, and the board and ments as necessary, such as legal, compliance, fraud,
senior management are appropriately informed of and IT.
such amendments. • The CAE supports internal audit staff who rotate
• The CAE allocates time for special projects and into and out of management and line positions to
advisory services as requested by senior management promote the importance of control awareness in all
and/or the board after appropriate consideration of aspects of the organization.
the risks involved. • The CAE’s reliance on and coordination with the ex-
• The CAE is held accountable for achieving planned ternal auditors are optimized resulting in appropriate
internal audit coverage. audit coverage at a reasonable cost while minimizing
• No major control issues come to light after audit duplication of effort.
work that indicates deficiency in the scope or quality • The CAE provides staff with appropriate perfor-
of the audit. mance evaluations.
Communication and Listening.
• The CAE requests regular, concise communications
with the board (through formal meetings, executive
sessions, and access to board members for private
TERMINATION OF THE CAE
conversations). The termination of the services of the CAE may be
• The CAE provides a balanced perspective on topics voluntary by the CAE or involuntary. Upon termination,
such as organizational governance, risk, and internal the board would likely consider the following issues.
control issues.
• When issues requiring action are identified, the CAE
The CAE Resigns, Retires, or Contract Period
works with senior management to facilitate effective
Expires.
The CAE may resign or retire from the position at any
solutions and encourage appropriate corrective ac-
time in accordance with the conditions of the contract
tion in a timely manner.
(if a contract exists) by providing appropriate notice to It is reasonable for the CAE to expect that the board may
the employer. The CAE may wish to resign for a range of consider terminating his or her services when there is ad-
reasons, and the employer, through the board, may have equate evidence that:
in place a process, such as an exit meeting and/or a ques-
tionnaire, to identify the reasons for the CAE’s resignation • Stipulated professional performance requirements
and determine whether there are any issues that require were not met.
further attention. When a contract exists and the term ex- • A material breach of either The Institute of Internal
pires but is not renewed, the board may desire assurance Auditors’ (IIA’s) Code of Ethics or the organization’s
that nonrenewal of the contract is appropriate. internal code of conduct was committed.
Questions the board might consider include: • Material non-conformance with the IPPF’s Standards
• Did the CAE resign due to inappropriate limitations exists.
placed on the scope of his or her role and activities When an involuntary termination is considered, the CAE
by management? needs to be prepared for the board to:
• Did the CAE resign due to remuneration/bonus is-
• Review the documentation related to the perfor-
sues, which management controlled?
mance issue(s).
• Did the CAE receive adequate support from the
• Meet with the member(s) of senior management
board and management to enable conformance with
responsible for the recommendation for termination.
the Standards?
• Meet privately with the CAE to confirm/discuss the
• Did the CAE have adequate resources to fulfill the
performance issue(s), including the questions posed
requirements of the internal audit activity?
above.
• Are there opportunities for future improvement that
the CAE would recommend?
The CAE is Terminated by the Employer. Detailed Internal Auditor

Generally, the board would oversee the termination of
a CAE. Boards will want to determine if termination is
Competencies
justified and appropriate. Identifying sensitive issues or The IIA has developed a detailed competency framework
wrongdoing by management are not reasons a board would for CAEs and all levels of internal auditors. It is available
generally consider for termination of a CAE; whereas, ter- at: http://www.theiia.org/guidance/additional-resources/
mination that is either voluntary or due to poor perfor- competency-framework-for-internal-auditors/.
mance would be considered acceptable. The board will
most likely want to ensure the termination is not voluntary
in appearance only, but is genuinely voluntary.
Authors
• Stephen Linden
• Cavell Alexander, CIA
• Amipal Manchanda
• Kathy B. Robinson, CIA, CFSA
• Richard A. Schmidt, CIA
• Fred F. Steenwinkel, CIA
• Adnan Zaidi, CIA, CCSA

• Douglas J. Anderson, CIA
• Steven E. Jameson, CIA, CCSA, CFSA
• James A. Rose, III, CIA
cant issue. Practice Guides are part of The IIA’s

247 Maitland Ave. F: +1-407-937-1101
– Practice Guide
COORDINATING
RISK MANAGEMENT
AND ASSURANCE
March 2012
Table of Contents
Introduction.................................................................................................... 1
Risk Management and Assurance (Assurance Services)................................. 1
Assurance Framework..................................................................................... 2
The Respective Roles of Risk Management, Internal Audit, Compliance,
and other Assurance Providers........................................................................ 4
Coordination Role of the CAE.......................................................................... 4
Using the Risk Management Process in Internal Audit Planning...................... 6
Preparation of Assurance Maps...................................................................... 8
Feedback on Significant Risk Areas in Internal Audit Reports......................... 8
Assessment by Internal Audit of the Adequacy of Risk Management............... 8
The Promotion of Risk Management by Internal Audit..................................... 9
Where Internal Audit Facilitates Risk Managment......................................... 10
Impact on Internal Audit Where a Formal Risk Management
Function Does Not Exist................................................................................ 10
www.globaliia.org/standards-guidance / B
Executive Summary Introduction

Risk management is fundamental to organizational con- Standard 2050: Coordination states, “The chief audit ex-
trol and a critical part of providing sound corporate gov- ecutive [CAE] should share information and coordinate
ernance. It touches all of the organization’s activities. The activities with other internal and external providers of as-
establishment of an effective enterprise-wide risk man- surance and consulting services to ensure proper coverage
agement system is a key responsibility of management and and minimize duplication of efforts.” This responsibility
the board, which are responsible for adopting a holistic requires the CAE’s inclusion and participation in the orga-
approach to the identification of organizational risks, cre- nization’s assurance provider framework. This framework
ating controls to mitigate those risks, and monitoring and can consist of internal audit, external audit, governance,
reviewing the identified risks and controls. They should risk management, or other business control functions/
ensure that risk management is integrated into the organi- disclosures performed by the organization’s management
zation, both at the strategic and operational levels. team. Inclusion and participation in this framework helps
ensure that the CAE is aware of the organization’s risks
With responsibility for assurance activities traditionally and controls in relation to organizational goals and objec-
being shared among management, internal audit, risk tives.
management, and compliance, it is important that as-
surance activities be coordinated to ensure resources are Boards will use various sources to gain reliable assurance,
used in an efficient and effective way. Many organizations including management, internal audit, and third parties.
operate with traditional (and separate) internal audit, risk, As discussed in Practice Advisory 2050-2: Assurance
and compliance activities. It is common for organizations Maps, an assurance map is a valuable tool for coordinat-
to have a number of separate groups performing different ing risk management and assurance activities to increase
risk management, compliance, and assurance functions the efficiency and effectiveness of risk management as-
independently of one another. Without effective coordi- surance investments made by an organization.
nation and reporting, work can be duplicated or key risks
may be missed or misjudged.
Risk Management
Many internal audit functions work in close cooperation and Assurance
with risk management. Some organizations do not have a
formal risk management function and in this case the in- (Assurance Services)
ternal audit activity often provides risk management con- The International Standards for the Professional Practice
sulting services to the organization. Internal audit should of Internal Auditing (Standards) Glossary defines risk
not give independent assurance on any part of the risk management as “a process to identify, assess, manage, and
management framework for which it is responsible. Other control potential events or situations to provide reason-
suitably qualified parties should provide such assurance. able assurance regarding the achievement of the organiza-
tion’s objectives.” This is consistent with the International
Standards Organization’s definition of risk management,
which is “coordinated activities to direct and control an
organization with regard to risk.”
Enterprise risk management (ERM) — also known as

enterprise-wide risk management — is a commonly used
Assurance Framework
term. The Committee of Sponsoring Organizations of the The need for assurance arises from an organization’s gov-
Treadway Commission defines it as “a process, effected ernance processes. Its origin is in the stewardship rela-
by an entity’s board of directors, management, and other tionship between the board of an organization and its
personnel, applied in strategy setting and across the enter- shareholders. This stewardship relationship demands
prise, designed to identify potential events that may affect that boards establish processes to both delegate and limit
the entity, and manage risk to be within its risk appetite, to power to pursue the organization’s strategy and direction
provide reasonable assurance regarding the achievement in a way that enhances the prospects for the organization’s
of entity objectives.” long-term success. Assurance processes are needed to al-
low the board to monitor the exercise of that power.
Assurance services should be objective and professional,
and can be obtained from a range of assurance providers. Risk management is a management process that promotes
Such providers can be internal — such as internal audit, the efficient and effective achievement of organizational
workplace health and safety, compliance, and security — objectives. Assurance and risk management are comple-
as well as external, such as statutory audit. mentary processes. In support of the risk management
process, the major role of internal audit and other inde-
The Glossary of the Standards defines assurance services pendent assurance providers is to provide assurance that:
as “an objective examination of evidence for the purpose
of providing an independent assessment on governance, • The risk management process has been applied
risk management, and control processes of the organiza- appropriately and that elements of the process are
tion.” suitable and sufficient.
• The risk management process is keeping with the
There are generally three parties involved in assurance
strategic needs and intent of the organization.
services:
• Processes and systems are in place to ensure that
• The person or group directly involved with the entity, all material risks have been identified and are being
operation, function, process, system, or other subject treated.
matter, and oversight functions such as risk manage- • All prioritized intolerable risks have cost-effective
ment, compliance, and finance. treatment plans in place.
• The person or group making the assessment (the as- • Controls are being correctly designed in keeping with
surance provider). the outputs of the risk management process.
• The user of the assessment, such as executive man- • Key controls are adequate and effective.
agement and the board.
• Risks are not over-controlled or inefficiently con-
trolled.
• Line management review and other non-audit as-
surance activities are effective at maintaining and
improving controls.
• Risk treatment plans are being executed.
• There is appropriate and as-reported progress in the provision of a formal statement of compliance or comfort
risk management plan. to an external body.
In support of the assurance process, the risk management The assurance objectives will dictate the assurance strate-
process should: gy and level of rigor employed, but the basic requirements
include assurance that:
• Establish an organization-specific, documented risk
management policy and framework. • All material risks have been identified.
• Assign responsibility for effective identification and • Risks have been accurately analyzed and evaluated.
management of significant risks.
• Key controls are both adequate and effective.
• Provide a structured analysis of the risks of the orga-
nization recording: • Management is appropriately addressing intolerable
risks.
– Risks, their associated exposures, and current risk
ratings. There are three fundamental classes of assurance provid-
– The organizational objective(s) to which the risk ers, differentiated by the stakeholders they serve, their
applies. level of independence from the activities over which they
provide assurance, and the robustness of that assurance.
– The organizational position responsible for identi- They are:
fying and managing each risk.
– Key control systems established to identify and • Those who report to management or are part of
manage each risk. management (management assurance), including
individuals who perform control self-assessments,
The assurance strategy is closely aligned with the corpo- quality auditors, environmental auditors, and other
rate or other strategic plans of the organization. The legal, management (designated assurance personnel).
legislative, cultural, and economic environment in which
• Those who report to the board, including internal
the organization is operating, as well as the nature of the
audit.
organization’s activities and its long-term plans drives as-
surance needs. • Those who report to external stakeholders (financial
statement assurance), a role traditionally fulfilled by
It is an important first step to identify who will be the the independent/statutory auditor.
users of organizational assurance. Clearly, the board and
The level of assurance desired will vary depending on the
management are the primary users. Other users may in-
risk and other factors such as regulations. Who should
clude the owners, regulators, government, or customers
provide that assurance will vary based on the ability of the
for whom the organization is a critical supply component.
assurance provider to deliver the necessary level of inde-
In today’s highly interconnected economy, external enti-
pendence and objectivity, as well as the historical organi-
ties may require assurance of the organization as part of
zational design of the entity and skill sets available within
their own risk management process.
the assurance group.
The required assurance may range from providing comfort
to the board when they need to approve the formal finan-
cial statements or the contents of the annual report to the
The Respective Roles of Risk their design and operating effectiveness), management of
those risks classified as high risk (including the effective-
Management, Internal Audit, ness of the controls and other responses to them), veri-
Compliance,and Other fication of the reliability and appropriateness of the risk

assessment, and reporting of the risk and control status.
Assurance Providers With responsibility for assurance activities traditionally
Assurance providers for an organization may include: being shared among management, internal audit, risk
management, and compliance, it is important that assur-
• Line management and employees (management ance activities are coordinated to ensure resources are
provides assurance as a first line of defense over the used in the most efficient and effective way. Many organi-
risks and controls for which they are responsible). zations operate with traditional (and separate) internal au-
• Senior management. dit, risk, and compliance activities. Compliance is defined
in the the Glossary of the Standards as “adhering to the re-
• Internal and external auditors.
quirements of laws, industry, and organizational standards
• Compliance. and codes, principles of good governance and accepted
• Quality assurance. community and ethical standards.” A compliance program
is a series of activities that when combined are intended
• Risk management.
to achieve compliance. Without effective coordination
• Environmental auditors. and reporting, work can be duplicated or key risks may be
• Workplace health and safety auditors. missed or misjudged.
• Government performance auditors.
Risk management is fundamental to organizational con-
• Financial reporting review teams. trol and a critical part of providing sound corporate gov-
• Subcommittees of the board (such as audit, actu- ernance. It touches all of the organization’s activities. For
arial, credit, governance). this reason many organizations have moved to adopt a
more formalized ERM process.
• External assurance providers, including surveys,
specialist reviews (health and safety), etc.
Refer to The IIA’s Practice Guide, Reliance on Internal

Coordination Role of the CAE
Audit by Other Assurance Providers (December 2011), IIA Standard 2050: Coordination states that the CAE
for more information on the range of internal and external should share information and coordinate activities with
assurance providers. Also, refer to The IIA’s Position Pa- other internal and external providers of assurance and
per, The Role of Internal Auditing in Enterprise-wide Risk consulting services to ensure appropriate coverage and
Management, (January 2009) regarding what roles are ap- minimize duplication of efforts. This responsibility re-
propriate for internal audit in regard to risk management. quires the CAE’s inclusion and participation in the orga-
nization’s assurance provider framework. This framework
The internal audit activity will normally provide assurance can consist of internal audit, external audit, governance,
coverage over parts of the organization approved in the risk management, and other business control functions/
internal audit charter or terms of engagement letter. This disclosures performed by the organization’s management
coverage should include risk management processes (both team. Inclusion and participation in this framework helps
ensure that the CAE is aware of the organization’s risks nance or risk management function. Regardless of the ori-
and controls in relation to goals and objectives. gin of the report, it is important that the CAE can rely on
the techniques and methods performed by the assurance
Most internal audit functions perform annual and engage- providers.
ment-based risk assessment activities to help prioritize
risks according to their potential impacts on the organiza- A thorough, documented and continuous risk manage-
tion’s achievement of goals and objectives. At the macro- ment process is part of good governance and an important
level, these activities assist the internal audit activity to management tool to provide assurance that appropriate
develop a proposed audit plan to submit to the board. At controls are in place to achieve the objectives of an orga-
the micro-level, these activities help prioritize the scope nization.
of audit work and assurance being provided by internal
audit engagements. The establishment of an effective enterprise-wide risk
management system is a key responsibility of manage-
It is important that the work performed by assurance ment. Boards and management are responsible for adopt-
providers is understood and assessed by the CAE on an ing a holistic approach to the identification of organi-
ongoing basis. This helps ensure that appropriate due pro- zational risks, creating controls to mitigate those risks,
fessional care is exercised in the performance of internal monitoring and reviewing the identified risks and controls,
audit work, including risk assessment activities performed and ensuring that risk management is integrated into the
to derive proposed audit plans submitted to the board. organization — both at the strategic and operational lev-
This also helps the board understand the coverage pro- els. Some organizations have delegated independent risk
vided by the organization’s assurance providers to better management functions, but others do not have an inde-
assess appropriate assignment of resources and potential pendent risk management function and require internal
exposures due to non-coverage. audit to provide consulting services in this area. Internal
audit can assist in identifying, evaluating, and facilitating
Coordination between assurance providers includes regu- risk management methodologies. Internal audit also is re-
lar sharing of reports and outcomes of assurance activities. sponsible for evaluating the effectiveness and contribut-
This formal coordination should occur on a regular basis ing to the improvement of the risk management process.
and include time for discussion and review of techniques
and methods used to reach conclusions. This includes Identifying risks in a systematic way supports sound deci-
management’s responses and an understanding of activi- sion making. It is about performing a thorough analysis of
ties performed to mitigate any risks or control deficiencies the organization on various levels, describing events that
identified. might occur, deciding on the importance of those risks,
and developing adequate measures to deal with them.
The CAE may develop an annual report to be shared with
the organization’s board and executive management team.
This report should outline the organization’s assurance
provider framework, the coverage of the assurance being
provided, areas of high risk, and residual/un-mitigated risk
areas within the organization. Another alternative would
be for the CAE to coordinate the development and dis-
tribution of this report through the organization’s gover-
Using the Risk Management to base internal audit plans and individual audit engage-
ments on the main identified internal risks and controls.
Process in Internal Audit
Planning Internal audit should prepare short- and long-term au-
dit plans to ensure that their activities are covering the
The documentation of risk management in an organiza- main risk areas and internal controls of the organization.
tion can be at various levels below the strategic risk man- As business circumstances can change substantially, con-
agement process. Many organizations have developed risk tinuous monitoring and periodic revision of annual plans
registers that document risks below the strategic level, — with at least yearly reviews of longer term plans — are
providing documentation of significant risks in an area needed to ensure that audit plans are flexible, based on
and related inherent and residual risk ratings, key con- up-to-date information and cover changing priorities and
trols, and mitigating factors. An alignment exercise can risk areas.
then be undertaken to identify links between the items
included in the audit universe documented by the internal Standard 2010: Planning states that “the [CAE] must es-
audit activity and risk categories and aspects described in tablish risk-based plans to determine the priorities of the
the risk registers. internal audit activity, consistent with the organization’s
goals.” Also, Standard 2010.A1 states “the internal audit
Some organizations may identify several high (or higher) activity’s plan of engagements must be based on a docu-
inherent risk (potential exposure) areas. While these risks mented risk assessment, undertaken at least annually. The
may warrant internal audit attention, it is not always pos- input of senior management and the board must be con-
sible to review all of them. Where the risk register shows sidered in this process.”
a high, or higher, ranking for inherent risk (or major po-
tential exposure) in a particular area, and the current risk Standard 2120: Risk Management states, “the internal au-
remains similarly high with no action by management or dit activity must evaluate the effectiveness and contribute
internal audit planned, the CAE should report those areas to the improvement of risk management processes.”
to the board with details of the risk analysis and reasons
for the lack of, or ineffectiveness of, internal controls. The following are steps to consider in the preparation of
internal audit plans to determine risks and exposures that
In addition to evaluating the effectiveness of the organi- may affect the achievement of the organization’s goals and
zation’s risk management process and contributing to its objectives:
improvement, internal audit also uses the results of the
• Research and review corporate documents such as
risk management process to develop annual audit plans
enterprise business plans, strategic plans, enterprise
and individual audit engagements.
risk assessments, yearly reports, minutes of board
meetings, minutes of management meetings, outside
Internal audit is often asked to deliver better results with
reports, external audit reports and other appropriate
strained resources. This can be achieved by strategically
sources.
placing internal audit work where it can be most effective
in delivering the best results and having the highest effect • Review previous internal audit plans, progress re-
on the outcome of the strategic and operational goals of ports, and works in progress.
the business entity. One of the tools of achieving this is • Consult senior management of the organization and
solicit information regarding concerns or risks areas. ditors must address risk consistent with the engagement’s
• Conduct a risk assessment of the issues and deter- objectives and be alert to the existence of other signifi-
mine priorities for the annual audit plan. cant risks.”
• Prepare a draft audit plan.

Thorough planning of an internal audit is crucial to its
• Communicate the proposed audit plan to stakehold- success. It provides an opportunity to become familiar
ers. with the entity being audited; to gather relevant issues,
• Seek feedback and validation of the major risk areas concerns, and risks; to complete a risk assessment, and
to review. determine the objectives and scope of the audit.
• Finalize the audit plans.
In developing an audit engagement plan, the internal au-
• Present to management and the board for approval. dit team should conduct a formal, comprehensive and
• Regularly monitor, review, and re-evaluate the plans documented risk assessment to identify audit issues and
in light of changing circumstances. risk events. This involves significant research, consulting
with management of the entity or area under review, and
While the broader rationale and objective of an internal becoming familiar with the entity or area.
audit are developed in the annual planning phase, de-
tailed research and work are needed at the onset of the Risk assessment methods can vary; however, all risk as-
audit to define the detailed objective and scope and de- sessments should cover the following points:
velop criteria and methodology.
• Description of the risk event (negative occurrence,
Standard 2201: Planning Considerations states that “In undesirable event).
planning engagements, internal auditors must consider:
• Likelihood of the event happening (strong, moder-
ate, weak).
• The significant risks to the activity, its objectives,
resources, and operations and the means by which • The impact of negative occurrence on the achieve-
the potential impact of risk is kept to an acceptable ment of goals and objectives (high, moderate, low).
level. • Current controls (systems, policies, procedures,
• The adequacy and effectiveness of the activity’s risk etc.) in place and their effectiveness (effective/not
management and control systems compared to a effective).
relevant control framework or model. • Ranking of the risk events.
• The opportunities for making significant improve-
Every potential audit highlights a wide range of issues for
ments to the activity’s risk management and control
examination. However, it is not necessary, reasonable, or
processes.”
cost effective to look at them all. The audit team has to
Also, Standard 2210: Engagement Objectives states, “In- be cognizant of, and concentrate its efforts on, the most
ternal auditors must conduct a preliminary assessment of important and high-risk issues.
risks relevant to the activity under review. Engagement
objectives must reflect the results of this assessment.” By ranking the possible risk events, this process will
With regard to consulting engagements, Standard 2120. identify the issues with the most significance and
C1 states, “During consulting engagements, internal au- highest ranking. At this point, a decision can be made
regarding which issues are material and will be audited CAE can take this one step further and help in the cre-
in light of the audit’s objective, and take into consideration of an assurance map for the organization. This will
ation other factors such as auditability, resources, and not only assist the board in providing governance over-
time lines. The results of the risk assessment should be sight, but also will assist the CAE in ensuring the audit
presented and discussed with management of the entity activity is optimizing its resources for maximum assurance
under review to ensure their concurrence and validation. value, and creating a more connected assurance commu-
nity through effective coordination.
Preparation of Assurance Maps
Boards will use various sources to gain reliable assurance,
Feedback on Significant Risk
including management, internal audit, and third parties. Areas in Internal Audit Reports
Many organizations operate with separate internal audit,
During all assurance work, particularly where the scope
risk, and compliance functions, and it is not uncommon
relates to significant potential exposures identified in an
for organizations to have a number of separate groups
organization’s risk management process, audit approach,
performing different risk management functions indepen-
audit procedures, and communications should be de-
dently of one another. As discussed in Practice Advisory
signed to evaluate management’s assertions on the effec-
2050-2, an assurance map is a valuable tool for coordi-
tiveness of controls in bringing risk within an organiza-
nating these risk management and assurance activities to
tion’s risk tolerance threshold.
increase the efficiency and effectiveness of assurance in-
vestments made by an organization. Assurance maps can
Reports to management and the board can describe the
help:
potential exposure and management’s assessment of cur-
rent risks (with the implied value of the controls in place)
• Identify duplication and overlap in assurance cover-
together with the audit evaluation of the risk ratings. Any
age, allowing the board and senior management to
differences should be fed into management’s risk manage-
decide if the overlap is necessary, intentional, or
ment process for consideration.
should be eliminated.
• Define scope boundaries and roles and responsibili- The cumulative effect over time of such assurance ac-
ties for various assurance providers to ensure the tivities over specific risk areas using a risk-based audit
right resources are focused on the right risks. This plan will provide assurance not only over those areas, but
can enhance the effectiveness of assurance providers also on the effectiveness of the overall risk management
by ensuring they are focused on the areas that need process.
their attention, and by clearly articulating the expec-
tations of the board and senior management.
• Assist in identifying any gaps in assurance coverage
Assessment by Internal Audit
that need to be addressed. of the Adequacy of Risk
It is the responsibility of the CAE to understand the as- Management
surance requirements of the board and the organization,
clarify the role the internal audit activity fills, and the level Internal audit should provide assurance as required by
of assurance it provides. However, given their unique van- Standards 2100: Nature of Work, 2120: Risk Management
tage point to assurance activities in the organization, the and 2400: Communicating Results to senior management,
and ultimately the board, that the organization is managing the effectiveness of the status of the risk manage-
its risks effectively. Insofar as internal audit will need to in- ment system to senior management and the board.
clude the adequacy of risk management within this scope
there are two dimensions to consider: The CAE has three important functions in the review of
risk management, and as in any other audit assignment:
1. Whether the risk management function includes
all appropriate risk areas within its remit. • Test the controls.
• Report any missing or ineffective controls.
2. Whether the risk management function is operat-
ing effectively. • Recommend improvements.
The main elements of the assessment that internal audit

will need to encompass are covered to a large extent by
The Promotion of Risk
Practice Advisory 2120-1: Assessing the Adequacy of Risk Management by Internal Audit
Management Processes. The main features are:
Standard 2100 states, “The internal audit activity must
• Boards of management, as part of their oversight evaluate and contribute to the improvement of gover-
role, may direct internal audit to assist by reviewing nance, risk management, and control processes using a
and reporting on the adequacy of risk management. systematic and disciplined approach.” The internal audit
activity often has a role providing independent and objec-
• Management and the board are responsible for risk
tive assurance to the organization’s board regarding the
management; however, internal auditors acting in
effectiveness of an organization’s ERM activities. This
a consulting role can assist management in this
helps ensure key business risks are being managed appro-
responsibility.
priately and the organization’s system of internal controls
• Where the organization does not have a formal risk is operating effectively and efficiently.
management process, the CAE should formally dis-
cuss the situation with management and the board. Risk management is a management process that pro-
motes the cost-effective achievement of organizational
The CAE should establish that:
objectives. Assurance provides reliable information about
the achievements of risk management activity. Assurance
• There is a culture of effective risk management.
and risk management are complementary processes.
• There is a clear understanding at all levels of the
potential exposures or inherent risks facing the orga- Often the internal audit activity of an organization will
nization (e.g., a risk register). work in close cooperation with the risk management
• There is a clear understanding of the current level of function. By independently reviewing the risk manage-
risk within the organization. ment process of an organization, internal audit can pro-
mote risk management throughout the organization and
• The amount of risk taken at every level of the organi-
the audit process can be aligned with risk management
zation is clearly defined and understood.
frameworks. Consistent risk language used throughout
• Adequate and effective controls exist to mitigate the organization can be adopted by internal audit.
risks.
• There is an appropriate method of communicating
Internal audit’s review of risk identification, risk evalua- in Enterprise-wide Risk Management (January 2009),
tion, control identification and evaluation, and appropri- describes roles that are appropriate for internal audit in
ate risk treatments challenges and enhances risk registers regard to risk management.
and the risk management framework.
Impact on Internal Audit Where
Where Internal Audit Facilitates a Formal Risk Management
Risk Management Function Does Not Exist
Some organizations do not have a formal risk management
When an organization does not have a risk management
function, and in this case the internal audit activity may
function, it typically requires increased effort from the
provide risk management consulting services to the or-
CAE to communicate risk management and assurance
ganization. Internal audit may provide risk management
activities to the board. Increased importance is placed on
consulting provided certain conditions apply:
the quality of the internal audit risk assessment as the sole
• It should be clear that management remains respon- view of risk the board may be exposed to.
sible for risk management even in those organizations
The CAE should promote the risk management function
where internal audit has been asked to facilitate the
as an important activity that assists the organization in
risk management program. Internal audit should
achieving its objectives, and provides recommendations
not manage any risks on behalf of management, nor
for establishing such a process. If requested, the CAE can
make final decisions regarding the enterprise’s risk
play a proactive consultative role in assisting with the ini-
appetite or level of resource allocation to control or
tial establishment of a risk management process for the
mitigate risk. Whenever internal audit acts to help
organization. However, while the internal audit function
the management team to set up or to improve risk
can facilitate or enable the creation of risk management
management processes, the audit committee should
processes, they should not be responsible for the process-
approve its plan of work.
es or management of the identified risks. Initially, the in-
• The nature of internal audit’s responsibilities should ternal audit function can facilitate management’s risk as-
be documented in the internal audit charter and ap- sessment processes; however, it is advisable to have such
proved by the board. Any work beyond the assurance facilitation activities separated from assurance activities
activities should be recognized as a consulting en- in the CAE’s organization.
gagement and the implementation standards related
to such engagements should be followed. If internal audit’s role exceeds normal assurance and
• Internal audit should provide advice, challenge, and consulting activities such that independence could be
act as a support to management’s decision making, impaired, the CAE should conform to the disclosure re-
as opposed to making risk management decisions. quirements of the Standards.
Internal audit cannot give objective assurance on any
part of the risk management framework for which it
is responsible. Other suitably qualified parties should
provide such assurance.
The IIA’s Position Paper, The Role of Internal Auditing
Authors:
Andrew MacLeod, CIA, CMIIA
Brian Foster, CIA
Patricia Macdonald
Andy Robertson
Teis Stokka, CIA
Benito Ybarra, CIA
Reviewers:
Doug Anderson, CIA, CRMA
Andy Dahle, CIA
Steve Jameson, CISA, CCSA, CFSA, CRMA
David Zechnich, CIA, CPA
guidance.

247 Maitland Ave. F: +1-407-937-1101
120362
– Practice Guide
Developing the Internal

Audit Strategic Plan
JUly 2012
Table of Contents
Introduction.................................................................................................... 2
Strategic Plan Definition and Development..................................................... 2
Review of Strategic Plan............................................................................... 10
Appendix: Illustrative Example — SWOT Analysis......................................... 11
Appendix: Illustrative Example — Strategic Plan Summary.......................... 12
Authors and Reviewer................................................................................... 14
www.globaliia.org/standards-guidance / C
Executive Summary sibility, and performance (Standard 2060: Reporting to

Senior Management and the Board). It will be necessary
For internal audit to remain relevant, it should adapt to for the strategic plan to be periodically reviewed. Factors
changing expectations and maintain alignment with the influencing the frequency of reviewing the strategic plan
organization’s objectives. The internal audit strategy is include:
fundamental to remaining relevant — playing an impor-
tant role in achieving the balance between cost and value, • Changes in the organization’s strategy.
while making meaningful contributions to the organiza- • Degree of the organization’s growth and assessment
tion’s overall governance, risk management, and internal of organizational maturity.
controls. • Degree to which the organization and its senior
management rely upon the internal audit activity’s
A systematic and structured process can be used to devel-
independent assessment and/or support regarding
op the internal audit strategic plan, helping to enable the
the management of organizational risks.
internal audit activity to achieve its vision and mission.
The following steps can be used to develop the internal • Significant change in the availability of the internal
audit strategic plan: audit activity’s resources.
• Significant change in laws and/or significant changes
1. Understand the relevant industry(ies) and the orga- to organizational policies and procedures.
nization’s objectives.
• Degree of change in the organization’s control envi-
2. Consider the International Professional Practices ronment.
Framework (IPPF). • Key changes in an organization’s leadership team and
board of director composition.
3. Understand stakeholder expectations.
• Evaluation of how the internal audit activity has
4. Update the internal audit vision and mission. qualitatively or quantitatively delivered on its strate-
gic plan.
5. Define the critical success factors.
• Results of internal/external assessments of the inter-
6. Perform a strengths, weaknesses, opportunities, and nal audit activity.
threats (SWOT) analysis.
7. Identify key initiatives. This Practice Guide was developed to provide the CAE
with guidance on how to develop an internal audit stra-
tegic plan. It also highlights the IPPF’s Practice Advisory
It is important for the chief audit executive (CAE) to vet 2120-2: Managing the Risk of the Internal Audit Activ-
the strategic plan with key stakeholders and obtain ap- ity; while there is no way to mitigate all of the risks, an
proval from the board1, as this is part of the CAE’s obliga- internal audit activity can proactively manage its risks by
tion for periodically reporting to senior management and developing a strategic plan.
the board on internal audit’s purpose, authority, respon-
1
The term board is used in this guidance as defined in the Standards glossary: “A board is an organization’s governing body, such as a board of directors, supervisory board, head of an agency
or legislative body, board of governors or trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee to whom the chief audit
executive may functionally report.”
This guidance will be particularly effective as a guide for

first-time strategic plan preparation for an internal audit
Strategic Plan Definition
activity. It also provides a good review for a strategic plan and Development
that has been in place and might need to be refreshed.
Definition of Strategy
Introduction Strategy is a means of establishing the organization’s pur-
pose and determining the nature of the contribution it in-
The International Professional Practices Framework tends to make while predefining choices that will shape
(IPPF) is the conceptual framework that organizes au- decisions and actions. Strategy for the internal audit ac-
thoritative guidance promulgated by The Institute of In- tivity enables the allocation of financial and human re-
ternal Auditors (IIA). The IPPF includes the Definition of sources to help achieve these objectives as defined in the
Internal Auditing, Code of Ethics, International Standards activity’s vision and mission statements (which contrib-
for the Professional Practice of Internal Auditing (Stan- ute to the achievement of the organization’s objectives).
dards), and strongly recommended guidance such as this This benefits the internal audit activity through its unique
Practice Guide. configuration of resources aimed at meeting stakeholder
expectations.
According to The IIA’s definition: “Internal auditing is an
independent, objective assurance and consulting activity The strategy itself is part of the set of matters to be re-
designed to add value and improve an organization’s op- ported to senior management and the board. This respon-
erations. It helps an organization accomplish its objectives sibility falls under the scope of Standard 2060: Reporting
by bringing a systematic, disciplined approach to evaluate to Senior Management and the Board, which establishes
and improve the effectiveness of risk management, con- that “the chief audit executive must report periodically to
trol, and governance processes.” senior management and the board on the internal audit
activity’s purpose, authority, responsibility, and perfor-
In order to adhere to the IPPF, internal audit practitioners mance relative to its plan.”
would benefit from applying a strategic approach toward
developing a strategic plan for achieving their internal A systematic and structured process can be used in devel-
audit vision and mission statements, thereby positioning oping the strategic plan to enable the internal audit activ-
themselves to meet the expectations of stakeholders. ity to achieve its vision and mission statements. The fol-
lowing steps are one approach for developing the internal
audit strategic plan:
Industry & Standards & Stakeholder Vision & Critical SWOT Key
Success
Objectives Guidance Expectations Mission Factors Analysis Initiatives
The starting point for developing the internal audit stra- ture of accountability. Therefore, it is imperative that the
tegic plan should be obtaining a thorough understanding internal audit activity have an in-depth understanding of
of the organization’s objectives and the industry (or indus- the applicable industries (including the applicable regula-
tries) in which it operates. For the internal audit activity tions and laws) and the organization’s objectives.
to deliver value, it should contribute to the achievement
of the organization’s strategic, operational, reporting, and Review the organization’s strategic plans prior to
compliance objectives while providing assurance that the interviewing stakeholders.
organization maintains an ethical environment and cul-
Success
The CAE should consider the IPPF when developing the • 2020: Communication and Approval
internal audit strategic plan. The values the internal au- • 2030: Resource Management
dit activity’s personnel should adopt are contained within
• 2040: Policies and Procedures
the framework’s Standards and Code of Ethics (along with
their organization’s own values). • 2050: Coordination
• 2060: R
eporting to Senior Management and
Attribute Standards: the Board
• 1000: Purpose, Authority, and Responsibility • 2110: Governance
• 1110: Organizational Independence • 2120: Risk Management
• 1120: Individual Objectivity • 2201: Planning Considerations
• 1200: Proficiency and Due Professional Care • 2210: Engagement Objectives
• 1210: Proficiency • 2230: Engagement Resource Allocation
• 1230: Continuing Professional Development • 2300: Performing the Engagement
• 1300: Q
uality Assurance and Improvement • 2310: Identifying Information
Program
• 2320: Analysis and Evaluation
• 1311: Internal Assessments
• 2410: Criteria for Communicating
• 1312: External Assessments
• 2420: Quality of Communications
Performance Standards: • 2500: Monitoring Progress
• 2000: Managing the Internal Audit Activity • 2600: R
esolution of Senior Management’s
Acceptance of Risks
• 2010: Planning
Success
Understanding stakeholder expectations and needs is a based on the organization’s objectives and goals. The ex-
critical step in developing the internal audit strategic plan. pectations may vary in the short term versus the long term
It is important to include the key internal and external based on the level of maturity in the organization’s control
stakeholders (e.g., board members, senior management, environment. The CAE will need to evaluate stakeholder
external auditors, and regulators). expectations to ensure they do not conflict with one an-
other and are supported by the internal audit charter. The
The CAE should communicate directly with each key weighting placed on each stakeholder’s expectations will
stakeholder to understand his or her expectations for the vary based on his or her role and responsibilities in the
internal audit activity. Stakeholders have unique back- organization.
grounds, roles, and responsibilities that help to shape their
expectations, as well as their understanding of internal au- After communicating with each stakeholder, the CAE
dit. Therefore, it may be beneficial to provide the stake- should document and confirm stakeholder expectations.
holders with a general understanding of internal audit’s Also, it can be beneficial to survey the stakeholders to
role and purpose. Through discussions with stakeholders, help prioritize their expectations after compiling their in-
the CAE can determine how internal audit can add value dividual perspectives. This will form a key input for devel-
to the organization in both the short term and long term oping the internal audit strategic plan.
Success
The strategic plan is the means by which the internal losophy and what it hopes to contribute to the organiza-
audit activity’s vision and mission will be pursued. The tion. A vision transcends objectives and goals; it expresses
CAE should develop and update the vision and mission the desired future state and is, therefore, lofty in nature.
statements based on stakeholder expectations and IIA
guidance. In writing these statements, it is important to Mission Statement – The mission statement, constructed
recognize that internal audit cannot be all things to all on the basis of the vision statement, outlines the internal
people. Therefore, it is necessary for the CAE to make audit activity’s primary business purpose, what it plans to
tough choices — recommending to the board what will be achieve in the future, its values, and how it integrates into
pursued and what will not be pursued. the organization’s strategic plan. The mission statement
should resonate with all internal audit personnel, as well
Sharing with senior management and the board what will not as the internal and external stakeholders. It is from the
be included is important to ensure full disclosure. mission statement that the internal audit strategic plan
will be developed, essentially determining how the mis-
sion will be achieved. The mission statement is commonly
Vision Statement – The purpose of establishing a vision
the first statement in the internal audit charter.
statement is to articulate the internal audit activity’s phi-
Success
Identifying the critical success factors (CSFs) will allow • Positioning – Is the internal audit activity strategi-
the internal audit activity to understand the limited num- cally positioned and supported?
ber of elements that should go right for it to achieve its • Processes – Are the internal audit activity’s process-
vision and mission. These factors will provide the depart- es enabling and dynamic in meeting business needs?
ment with the essential elements that all major initiatives
• People – Does the internal audit activity have the
should be vetted against to help ensure resources are fo-
right people strategy to deliver its mission?
cused on the most important activities. Three questions
that may be helpful in identifying the CSFs are:
Monitoring the progress of the critical success factors will
ensure management is giving them continuous attention.
Success
Performing an assessment of the current state of the in- • Internal factors – The strengths and weaknesses
ternal audit activity will help identify what should be in- unique to the internal audit activity.
corporated into a strategic plan. One technique is to per- • External factors – The opportunities and threats
form a strengths, weaknesses, opportunities, and threats presented by the external environment to the inter-
(SWOT) analysis against the vision, mission, and critical nal audit activity. The external environment includes
success factors. The aim of any SWOT analysis is to iden- forces inside the organization (but outside of the in-
tify the key internal and external factors that are important ternal audit activity) and outside of the organization.
to achieving the strategy. This analysis groups information
into two main categories:
The following are definitions of a SWOT analysis’ individual components:
STRENGTHS WEAKNESSES
Internal characteristics of the internal audit activity Internal characteristics of the internal audit activity
Internal Origin
that can be considered facilitators of the audit that, in opposition, can prevent the achievement of
strategy. the audit strategy, and can place the activity in an
unfavorable position.
OPPORTUNITIES THREATS
External elements apart from the internal audit External elements apart from the internal audit
External Origin
activity that can increase the demand for more and activity that, in opposition, can decrease the demand
better assurance and consulting audit services and of assurance and consulting services, prevent the
contributions. achievement of the audit strategy, and place the
activity in an unfavorable position.
Topics to consider in performing the SWOT analysis in- objectives and strategy. The initial step in people planning
clude (but are not limited to): is to perform a skill assessment to identify the skills and
knowledge required to address items in the internal audit
Organizational Structure strategy. It is important to assess the degree to which the
The internal audit activity structure should be designed to skills and knowledge identified will need to be relied upon,
ensure an appropriate level of supervision to deliver high as this will influence the type of sourcing model selected.
quality while facilitating efficient delivery of services. Ad- Additionally, consideration should be given regarding how
ditionally, the internal audit activity should be free from to best leverage technology resources in conjunction with
conditions that threaten the ability to perform its respon- establishing the most appropriate sourcing model. These
sibilities in an unbiased manner. To achieve the degree of aspects of resource consideration will support priorities
independence necessary to carry out internal audit’s re- for the department as defined by the CAE.
sponsibilities effectively, the CAE should have direct and
unrestricted access to senior management and the board. An assessment of the necessary skills and knowledge can
include: i) the scope of the internal audit activity’s respon-
Resource Requirements sibilities as defined by the charter, ii) expected balance
of assurance and consulting engagements, iii) stakehold-
The skill set and knowledge of the internal audit team are
ers expectations and requirements, iv) results of the risk
critical to its ability to help the organization achieve its
assessment, v) the level of coordination with other risk livered by such tools is not reviewed by management in a
management and assurance functions, and vi) the long- timely and effective manner.
term strategic plan for the organization. The IIA’s Com-
mon Body of Knowledge publication Core Competencies Sourcing Model
for Today’s Internal Auditor may be valuable in identifying An assessment of sourcing models should be performed to
what internal auditors need to know to perform their jobs determine the most cost effective structure for perform-
with due care while adding value to their respective orga- ing the expected services for auditable entities within the
nizations. audit universe. The key variables to assess related to the
sourcing model include:
Technology & Tools
Reviewing the internal audit activity’s technology and tools • Required skills
will help a CAE understand the activity’s capabilities. The • Specialized skills
use of electronic workpapers may be helpful to improve
productivity and facilitate quality control, especially in • Level of centralization vs. decentralization in the
managing multiple components of single engagements organization
with multiple staff and for multiple locations. Leverag- • Geographical footprint
ing work flow tools within such applications to share files • Language requirements
and consolidate findings may promote effective informa-
• Desired flexibility with staffing and cost structure
tion sharing to allow for timely quality control of workpa-
pers and reports. Additionally, these tools can enable the • Upcoming changes to laws and regulations
CAE to better monitor the progress of the audit plan and • Budget
drill down to the engagement component of each plan.
• Desired level of talent sourcing for the organization
Such applications also provide a central repository for
workpapers and reduce the risk of multiple file versions,
which allows for effective file sharing. Return on invest- The sourcing options include:
ment analysis would be needed to support justification to
implement such tools. Some applications primarily ben- • Full in-house staffing – only using internal resources
efit the internal audit activity; however, many electronic • Limited co-sourcing – internal resources perform
workpaper applications also provide surveys and certifica- majority of activity with outsourced resources provid-
tion templates and accompanying work-flow technology ing specialized skills
to manage governance/control initiatives.
• Significant co-sourcing – CAE is supported primarily
by external resources
Using data analytics and leveraging continuous control
monitoring (CCM) tools can be beneficial to a depart- • Full outsourcing – external resources perform entire
ment’s efficiency and effectiveness. Data analytics can activity
better focus hours spent by resources relative to risk.
CCM leveraged by the broader organization may serve to It may be beneficial to perform benchmarking of organiza-
provide reliable evidence for the effective functioning of tions within the same industry that are similar in size and
detective controls within an application. The presence of in geographical coverage to gauge the number of resources
CCM may not be sufficient to permit reliance if data de- appropriate for the risk appetite of the organization. Con-
sider the following when determining the appropriateness Organizations often have separate groups performing vari-
and sufficiency of resources: ous risk management and assurance functions indepen-
dently of one another. The internal audit activity should
• Types of risks faced by the organization, and the risk develop a clear understanding of the other groups’ objec-
appetite of its stakeholders. tives and determine how the groups should best coordi-
• The internal audit staff ’s experience level — expe- nate their efforts to minimize duplication and help to en-
rienced staff may require fewer hours to complete sure key risks are being addressed. For further information
engagements. on this topic, refer to The IIA’s Practice Guide, Reliance
by Internal Audit on Other Assurance Providers.
• Nature of engagements to be performed — engage-
ments that are complex, new to scope, or require Methods to Deliver Services
remediation testing based on risk will require more
time to execute. The methodologies for performing internal audit as-
surance and consulting services should be defined and
• Degree to which automated control evaluation is documented to help ensure there is consistency and high
integrated into the audit plan — automated controls quality of services for planning, fieldwork, reporting, and
are generally more efficient to test. follow-up. There should be both mandatory requirements
and recommended protocols to allow for flexibility in
Where the internal audit activity is viewed as a source of performing the work, allowing for circumstances when
talent for the organization, it may be beneficial to con- requirements are not feasible. The methodology should
sider a rotational staffing model. This model provides the conform to the IPPF.
organization with individuals who have an extensive un-
derstanding of governance, risk management, and con- Communication With Stakeholders
trols. Rotational models provide benefits to the internal The CAE should have a communication plan in place that
audit activity by introducing staff members (from outside ensures senior management and the board are informed of
the activity) with nonaudit backgrounds who may provide the plan for the internal audit activity including resource
specialized skills along with an independent perspective requirements (and limitations) and progress against such
on engagements and audit procedures. Disadvantages plan. It is also valuable to include in this communication
to such models include increased training and oversight plan the results from internal audit’s assurance and con-
of rotational staff, lack of engagement continuity, and a sulting engagements, including management’s progress in
“cooling-off period” from auditing the area they most re- remediating findings.
cently worked (Practice Advisory 1130.A1-1: Assessing
Operations for Which Internal Auditors Were Previously People Development
Responsible).
Building upon the skills identified in the previous section,
Coordination With Other Risk Management and As- “Resource Requirements,” it is vital to have a defined ap-
surance Functions proach for how the audit team will be developed, trained,
and managed. A people development plan should include
Based on stakeholder expectations, IIA guidance, and the clear expectations for each position, including the nec-
audit charter, the CAE should align resources and priori- essary competencies, knowledge, experience, and certifi-
ties, determine how the internal audit activity will work, cations. These expectations enable management to work
and coordinate with other risk management/assurance toward an individual’s readiness for his or her current po-
functions. sition and future advancement.
Success
Based on the results of the SWOT analysis, it is possible

to identify and prioritize the key initiatives that will have a
significant impact on achieving the internal audit activity’s
critical success factors and therefore its vision and mis-
sion statements. For each initiative, it is valuable to iden-
tify a timeline for implementation, the desired objectives,
the performance measurements (qualitative and quantita-
tive), and the associated SWOT elements.
Performance Monitoring
To ensure the strategic plan produces the desired results,
it is critical to monitor its execution and impact. To help in
this regard, it is beneficial to establish performance goals
(qualitative and quantitative) to measure the progress and
performance of each initiative against expectations. Feed-
back from key stakeholders on progress against the stra-
tegic plan may also provide a mechanism to support the
assessment process. Additionally, the CAE and his or her
management team can perform self-evaluations regarding
the efficiency and effectiveness of strategic plan execu-
tion. These goals can be included in reporting provided
to key stakeholders. For further information on this topic,
refer to the Practice Guide, Measuring Internal Audit Ef-
fectiveness and Efficiency.
Feedback and Approval

It is essential to vet the strategic plan with the key stake-
holders prior to its finalization. Communication of the
revised strategic plan will increase awareness and buy-in
across the organization. Final approval should be obtained
from the board.
Review of Strategic Plan

Similar to the strategic plan for the organization, the in-
ternal audit strategic plan should be periodically reviewed
and appropriately updated. The frequency of review will
be determined by the CAE in conjunction with discus-
sions with the board. Factors influencing the frequency of
reviews include (but are not limited to):
• Degree of the organization’s growth and assessment

of organizational maturity.
• Changes in the organization’s strategy.
• Degree to which the organization and its senior
management rely upon the internal audit activity’s
independent assessment or support regarding the
management of organizational risks.
• Significant change in the availability of the internal
audit activity’s resources.
• Significant change in laws or the volume of changes
to organizational policies and procedures.
• Degree of change in the organization’s control envi-
ronment.
• Key changes in an organization’s leadership team and
board of director composition.
• Evaluation of how the internal audit activity has
qualitatively or quantitatively delivered on its strate-
gic plan.
• Results of internal/external assessments of the inter-
nal audit activity.
Appendix:
Illustrative Example —
SWOT Analysis
STRENGTHS WEAKNESSES
1. Defined internal audit vision, mission, values, and charter 1. Skill gaps – consulting and fraud knowledge
2. Strong respect and credibility of CAE with senior management 2. Undefined staff development model
3. Defined and validated audit universe 3. Limited staff career opportunities – not a talent source for the
4. Formal risk-based planning process with management business
validation 4. Risk assessment not mapped to organization’s strategy; limited
5. Individual staff training/certification plans identification of emerging risks
6. Independent and objective organization-wide perspective 5. Audit plan limited to one year
7. Staff adaptable to change; positive attitude 6. Limited understanding of stakeholder expectations
8. Diverse skills, backgrounds, and business knowledge of staff 7. Inconsistent communication with stakeholders
9. Process focus vs. transactional focus 8. Emphasis on findings (“gotcha” and “policeman” mentality)
10. Increased partnering with the business 9. Limited involvement in organization’s strategic decisions
11. Formalized follow-up process 10. Lack of formal knowledge-sharing program
11. Limited focus on operational efficiency vs. effectiveness
12. Limited use of data analytics and data mining
13. Performance evaluations only occur annually
14. Long audit cycle time
15. Not fully aligned with IIA Standards
16. Audit methodology does not address all types of engagements
OPPORTUNITIES THREATS
1. Improve perception of staff skill, knowledge, and capabilities 1. Predisposition of board to focus on financial and compliance
2. Confirm and clarify stakeholders’ evolving expectations exposures without balanced attention to operational risks
3. Educate stakeholders on internal audit’s role and capabilities 2. Implementation of findings constrained by budgets, staffing,
4. Become involved in new initiatives early to incorporate controls and governance
5. Educate management on recurring/common issues 3. Reduction in management cooperation
6. Collaborate with other assurance/risk management functions 4. Emerging and changing risks increase skill gaps
throughout the year and during risk assessment 5. Lack of awareness of business initiatives
7. Introduce risk and control self-assessments 6. Adapting to higher IIA Standards and stakeholder expectations
Appendix: the achievement of the organization’s objectives and

strategy.
Illustrative Example — • Collaboration with other control and risk manage-
Strategic Plan Summary ment functions to coordinate coverage of the risks.
Vision Key Tasks:

To be a high-performing internal audit activity that meets
the expectations of our stakeholders and adheres to The • Benchmark the current risk assessment process
Institute of Internal Auditors International Standards for against other organizations of comparable size.
the Professional Practice of Internal Auditing (Standards) • Inventory current processes and sources used to
and the attributes of high performance recognized by identify emerging risks (which have never occurred
leading internal audit activities. This will enable us to be or not occurred for an extended period).
a business partner and a trusted advisor, recognized as a
• Understand the scope of other control and risk man-
driving force behind a culture of governance, accountabil-
agement groups’ responsibilities and their approach
ity, compliance, and execution that helps in the achieve-
for identifying risks.
ment of the organization’s objectives.
• Develop a methodology that links the organization’s
Mission strategy to the auditable risks.
Deliver an independent assessment of financial, regula- • Validate the methodology with key stakeholders.
tory, and operational risks and control effectiveness to the Time frame: August – November 201X
organization’s management and the board. We will provide
control expertise to minimize risks, improve process qual- CSF 2: Provide Impactful Reporting to Stakeholders
ity, and enhance operational effectiveness in furtherance
Initiative: Increase the transparency of internal audit’s ac-
of our business goals.
tivities through providing timely and impactful communi-
cations to key stakeholders regarding the global collection
Critical Success Factors, Initiatives, of risks, audit findings, and issue-remediation efforts.
Objectives, and Key Tasks
CSF 1: Focus on the Organization’s Highest Risks SWOT Mapping: Weaknesses – 6, 7, 8
Initiative: Enhance the planning process to identify the Opportunities – 3, 5
highest priority strategic, operational, financial, and regu-
latory risks to the organization. Objectives:
SWOT Mapping: Weaknesses - 4, 5, 9 • A relationship map and communication plan for key
Opportunities - 6 stakeholders.
• Standardized reports for regular communications.
Objectives:
Key Tasks:
• A sustainable process that identifies the most signifi-
cant internal and external risks that could impede
• Identify key stakeholders.
• Obtain feedback from key stakeholders on perfor- SWOT Mapping: Weaknesses – 1, 2, 3, 10, 11, 15, 12
mance and expectations. Opportunities – 3
• Agree on improvement opportunities.
Objectives:
• Design and implement “to-be” state.
Time frame: March – April 201X • Understand the necessary skills to deliver on the
mission statement for all areas within the audit
CSF 3: Maintain Efficient and Effective Audit universe.
Processes
• Develop a formalized training and development pro-
Initiative: Develop a manual that defines the methodology gram for all staff levels.
for performing all internal audit assurance and consulting
engagements.
Key Tasks:
SWOT Mapping: Weaknesses – 1, 11, 15, 16
• Perform skills assessment.
Opportunities – 7
• Identify internal and external staffing and training
Objectives: solutions.
• Develop continual learning and development pro-
• Identification of the required and recommended gram.
practices for all engagement types, helping to ensure
Time frame: July – October 201X
a consistent approach that adheres to the Standards.
Key Tasks:
Note: A work plan would need to be developed to identify
• Assess current processes for planning, fieldwork, the detailed steps, the necessary timing, and the neces-
reporting, and follow-up of assurance and consulting sary resources to complete each initiative.
engagements against the IPPF.
• Refine processes to align with the IPPF, identifying
those that are required vs. recommended.
• Develop control self-assessments tools.
• Validate the internal audit manual with all staff.
Time frame: June – August 201X
CSF 4: Adequately Skilled and Knowledgeable Staff

Initiative: Identify the critical skills, create development
plans, and develop a sourcing strategy to deliver on the
mission statement.
Authors:
Brian Reed, CIA
Erich Schumann, CIA
Princy Jain, CIA, CCSA, CRMA
Rita Thakkar, CIA
Reviewer:
Steven Jameson, CIA, CBA, CCSA, CFE, CFSA, CGMA,
CPA, CRMA
guidance.

247 Maitland Ave. F: +1-407-937-1101
120924
Evaluating Corporate Social

Responsibility/Sustainable
Development
February 2010
Table of Contents
Introduction..................................................................................................................1
Executive Summary.......................................................................................................1
CSR Definitions.............................................................................................................2
Responsibility for CSR...................................................................................................2
Risks ............................................................................................................................3
Reputation...........................................................................................................3
Compliance..........................................................................................................3
Liability................................................................................................................3
Operational..........................................................................................................3
Stock Market........................................................................................................3
Employment Market.............................................................................................3
Sales Market........................................................................................................3
External Business Relationships..........................................................................3
CSR Business Activities.......................................................................................4
CSR Reporting......................................................................................................5
Approaches to Evaluating CSR......................................................................................6
Auditing...............................................................................................................6
Facilitating...........................................................................................................7
Consulting............................................................................................................7
Audit Considerations.....................................................................................................7
Use of Audit Opinion.............................................................................................7
Independence and Objectivity..............................................................................7
Skills and Body of Knowledge...............................................................................7
Resources............................................................................................................8
CSR Maturity Model.............................................................................................8
Internal Audit Program Development (Considerations).................................................9
Appendix A – Auditing by Element...............................................................................12
Governance........................................................................................................12
Ethics.................................................................................................................12
Environment.......................................................................................................12
Transparency......................................................................................................13
Health, Safety, and Security...............................................................................13
Human Rights and Work Conditions...................................................................13
Community Investment......................................................................................14
Appendix B – Auditing by Stakeholder Group............................................................15
Employees and Their Families............................................................................15
The Environment................................................................................................15
Customers..........................................................................................................15
Suppliers............................................................................................................15
Neighboring Communities..................................................................................16
Shareholders and Investors................................................................................16
Appendix C – Stakeholder Theory................................................................................17
Appendix D – Additional Resources.............................................................................18
Practice Guide Team Members....................................................................................19
Introduction Executive Summary

Organizations worldwide are adopting mission state- CSR presents significant risks and opportunities for orga-
ments and governance activities related to corporate social nizations. Stakeholders expect boards and management
responsibility (CSR) and sustainable development. Cus- to accept responsibility and implement strategies and
tomers, employees, and public stakeholders have increas- controls to manage their impact on society and the envi-
ing expectations for organizations to act in responsible and ronment, to engage stakeholders in their endeavors, and
sustainable ways, and public scrutiny of these activities is to inform the public about their results. The prolifera-
rising. This growing attention extends beyond the organi- tion of regulation and voluntary standards has made CSR
zation to its partners and suppliers. Increasing regulations management a complex endeavor.
relating to the environment and the workplace are leading
to new practices and management systems. In response, Internal auditors should understand the risks and controls
organizations are developing performance targets, mea- related to CSR objectives. Where appropriate, the CAE
surement systems, and reporting systems related to CSR should plan to audit, facilitate control self-assessments,
and sustainable development strategies. verify results, and consult on the various subjects. Inter-
nal auditors should maintain the skills and knowledge
Chief audit executives (CAEs) should understand the var- necessary to understand and evaluate the governance,
ious ways in which they can support management relating risks, and controls of CSR strategies.
to CSR and sustainable development. An internal audit
activity that conforms to the International Professional
Practices Framework (IPPF) is qualified to audit and pro-
vide assurance to the board and management on CSR and
sustainable development programs and reporting.1 This
guide is designed to assist in planning and implementing
related internal audit strategies and programs.
Organizations adopt terminology (e.g., CSR, sustainable

development, and corporate citizenship) that best fits
within the context of their operations and that is consistent
with the strategies adopted. For the purposes of this guide,
CSR refers to social responsibility, sustainable develop-
ment, and corporate citizenship.
1. Auditors that conform to the Performance and Program Standards for the Professional Practice of Environmental, Health and Safety Auditing (Board of Environmental Health and Safety
Auditor Certifications) may also be qualified.
CSR Definitions Responsibility for CSR

Governmental and nongovernmental organizations have The board5 has overall responsibility for the effectiveness
published many definitions of CSR, including: of governance, risk management, and internal control pro-
cesses associated with CSR.
• CSR is the continuing commitment by business to
behave ethically and contribute to economic develop- Management is responsible for ensuring that CSR objec-
ment while improving the quality of life of the work- tives are established, risks are managed, performance is
force and their families as well as of the local commu- measured, and activities are appropriately monitored and
nity and society at large.2 reported. There may be a CSR executive responsible for
• Generally, CSR is understood to be the way firms in- coordinating these activities, or this responsibility may
tegrate social, environmental, and economic concerns be allocated to executives responsible for each individual
into their values, culture, decision-making, strategy function (such as a chief ethics officer, vice president of
and operations in a transparent and accountable man- environment, health and safety, general manager of human
ner and thereby establish better practices within the resources, and director of community and public affairs).
firm, create wealth, and improve society.3
If the organization has limited resources to spend on CSR,
Some organizations focus on economic and CSR objec- should those resources be directed toward feeding starv-
tives, where the environment is included as one element ing children, educating an aboriginal workforce, or starting
of CSR, along with ethics, transparency, health and safe- a recycle program? All are worthy causes. The challenge
ty, corporate governance, human rights, and community management faces is ensuring that CSR activities through-
investment. Other organizations follow a Triple Bottom out the organization are coordinated and aligned with stra-
Line reporting strategy, which covers three measures of tegic initiatives and principles, with appropriate risk/reward
success: economic, environmental, and social responsi- decisions being made. CSR programs for charity, product
bility. This theme is prevalent in resource companies, and worker safety, pollution, and human rights often elicit
such as mining, forestry and oil, where the environment emotional and personal responses, and managers can be in-
has been an important focus of advocates, governments, fluenced by such responses to support personal objectives.
and communities. These organizations often refer to Management is responsible for ensuring that the organiza-
their objectives as sustainable development: tion’s CSR principles are communicated, understood, and
integrated into decision-making processes.
• For the business enterprise, sustainable development
means adopting business strategies and activities that Generally, CSR activities are pervasive throughout the
meet the needs of the enterprise and its stakeholders organization; thus, every employee has a responsibility
today while protecting, sustaining, and enhancing the for ensuring the success of CSR objectives.
human and natural resources that will be needed in
the future.4
2. World Business Council for Sustainable Development.

3. Government of Canada.
4. This definition captures the spirit of the concept as originally proposed by the World Commission on Environment and Development and is substantially similar to the definition used by
the World Business Council for Sustainable Development.
5. In this guide, “board” will be used to refer to the board of directors or similar oversight group and to committees that have been delegated specific CSR responsibilities.
Risks or specific classes/special interest groups may take legal

action for alleged harm done by the organization
Organizations are exposed to a variety of risks associat-
ed with CSR activities. The board and management are Operational
responsible for performing a risk assessment and deter- Risk arises from the CSR “pressure points” for the organi-
mining what is important to their organization and the zation’s manufacturing processes, products, services and
controls they will implement to manage those risks. impact on the environment. Other examples of potential
risk scenarios include: under-performance of other targets
The CAE should understand these risks and use that due to inappropriate CSR strategies, or over-emphasis on
knowledge when considering CSR activities in the audit CSR strategies; failure to integrate CSR objectives into
universe, audit plan, and audit approaches. Internal audi- processes, or to educate staff appropriately; failure to de-
tors should understand these risks to help them develop velop well-controlled systems for CSR initiatives; risk as-
appropriate audit procedures. sociated with reporting CSR activities and results (e.g.,
inaccurate or incomplete information and poor communi-
Reputation cation and reporting strategies). In addition, international
The organization’s brand or reputation could be damaged organizations may find it challenging to apply the same
due to violations of law or principles, errors or omissions standard in multiple countries.
in disclosed CSR information, under-performance com-
pared with objectives/targets, or the appearance of indif- Stock Market
ference to social issues. If activists believe an organiza- Organizations may lose investors, or limit their pool of
tion is being unresponsive to their concerns, they may investors, if they do not qualify for Socially Responsible
become shareholders to introduce resolutions relating Investment or similar funds.
to their CSR agenda. Organizations have the opportu-
nity to enhance their reputation by behaving in a socially Employment Market
responsible manner and involving stakeholders in deci- Employees want to work for organizations that respect
sions that affect them.6 their rights, have a culture of integrity, and commit to
social and community concerns.
Compliance
Organizations may fail to comply due to the extent, com- Sales Market
plexity, and volume of regulations relating to the environ- Customers might boycott products or services for envi-
ment, health and safety, employment, governance, political ronmental or social issues. Organizations have an oppor-
contributions, conflict of interest, fraud, etc. Compliance tunity to increase sales and advertising if they are recog-
risk also arises from contractual obligations with third par- nized by “socially responsible consumer” groups.
ties, such as customers, unions, or employees, and from vol-
untary adoption of standards. Compliance risk increases for External Business Relationships
organizations operating in multiple countries. Customers, suppliers, or partners could violate CSR terms
and conditions, principles, or laws, yet the organization could
Liability be included as a wrongdoer by association. Developing and
Liability risk exists when contracting for CSR terms and monitoring the controls over and within external business
conditions and ensuring third-party compliance. Activists relationships may be a challenge for some organizations.7
6. For more information about stakeholder engagement, see Appendix C.
7. Refer to The IIA’s Practice Guide Auditing External Business Relationships for additional information.
CSR Business Activities • Emissions.

• Health and safety incidents.
CSR business activities generally include: • Fraud incidents.
1. Determining and communicating policies and pro- • Donation and sponsorship amounts.
cedures for areas including corporate governance, • Economic benefits to specified regions.
business ethics, human resources and employment, • Employee satisfaction.
supply chain management, stakeholder relations, do-
nations and political contributions, the environment, • Noncompliance incidents.
and health and wellness. • Commitments to stakeholders, reclamation activity.
2. Setting objectives, performance targets, and strate- 5. Stakeholder engagement, including:8

gies, such as:
• Advisory or focus groups as part of research and
• Reduce carbon emissions. development.
• Comply with laws and regulations. • Involvement in policy development and feedback.
• Donate a percentage of net profits to charitable • Satisfaction surveys.
organizations. • Complaint management processes (including protec-
• Increase indigenous workforce. tion of complainants from retaliation or intimidation).
• Reduce safety incidents. 6. Auditing:
• Reduce waste.
• Disclosures in public reports.
• Create a culture of transparency.
• Internal controls and management systems.
• Facilitate employee volunteerism.
• Contractual compliance with CSR terms and con-
• Become the employer of choice and extend the eth- ditions (both internally and with external business
ical culture throughout the supply chain. relationships).
3. Communicating and embedding CSR principles and 7. Reporting results internally and externally, along with
controls into business decision making processes. governance processes for such disclosures.
• CSR risks are considered as part of project approvals.
• Culture is based on making the right decisions for
the right reasons.
• Life-cycle value assessments are used to evaluate
impacts of products or operations.
4. Tracking, measuring performance of, analyzing trends

around, and benchmarking activities such as:
8. Refer to Appendix C for additional information regarding stakeholder theory and engagement.
CSR Reporting when presenting financial information; however, years of

developing accounting and reporting standards has mini-
Many organizations report their CSR results to the pub- mized this. For CSR information, there are organizations
lic. Reports help audiences, such as investors, employees, developing voluntary reporting standards, such as the
suppliers, and customers make informed decisions about Global Reporting Initiative, but comparability will con-
their involvement with the organization. Each organiza- tinue to be a challenge until standards are met by most
tion makes a business decision as to the cost/benefits of organizations worldwide. Also influencing the reporting
producing such information and what specific informa- process are international not-for-profit organizations that
tion to include. benchmark CSR reports, giving awards to those that best
meet their evaluation criteria.
Reporting methods can include publishing a standalone
CSR report, integrating CSR information into the annual To meet stakeholder demands for accountability, and to
report, and preparing select CSR information booklets on reduce the appearance of the report being viewed as a
specific topics or events for public distribution. Distribution marketing ploy, many organizations are using verification
formats include: Web pages, booklets, press releases, regu- and assurance processes for all or part of the reports.9
latory filings, handouts and presentations at public stake- Organizations have used internal reviewers (including
holder meetings, videos, infomercials, and commercials. internal auditors), independent third parties, commu-
There are several laws that require organizations in particu- nity or expert advisory panels, or a combination of these
lar sectors to publicly disclose certain CSR practices and to perform the assurance process. Third parties include
activities, especially for corporate governance and environ- external audit firms, subject matter experts in environ-
mental compliance. For example: mental sciences and human rights, and other relevant
consultants. There are also international not-for-profit
• In Canada, banks and federally incorporated trust and organizations, such as AccountAbility, that produce
insurance firms with more than $1 billion in equity standards (AA1000) for assurance of CSR reports to
are required by federal law to produce annual public help strengthen the assurance process. Professional ac-
accountability statements outlining their contribu- counting organizations also have published standards for
tions to the economy and society. assurance of nonfinancial information, which includes
• In the United Kingdom, legislation requires pension CSR information. Organizations that need to satisfy
fund trustees to publish a comment in their invest- many stakeholders regarding their compliance with CSR
ment statements on the extent to which their invest- terms and conditions may choose to become certified as
ment policies address social, ethical, and environ- meeting ISO or SA8000 standards.10
mental issues.
Another challenge to credibility and transparency is that
• In France, laws require companies to report on the
organizations are expected to present the negative as well
social and environmental impacts of their activities.
as the positive, the failures as well as the successes. For
Organizations reporting their CSR results face challenges some organizations, this may represent a culture shift,
in choosing which subjects to report, developing and pre- and it may also introduce liability risk.
senting performance metrics, and comparability of the
information. Organizations once faced these challenges
9. Consider evaluating the use of CSR issues in advertising strategies during an operational audit of marketing.
10. Social Accountability International, a not-for-profit organization, has established SA8000 as an international standard for improving working conditions.
Approaches to Evaluating CSR such as COSO,12 ISO,13 etc., or compliance with cus-
tomer expectations (contractual obligations). Typical
CSR elements include:
Definition of internal auditing:
Internal auditing is an independent, objective assurance and • Governance.
consulting activity designed to add value and improve an • Community investment.
organization’s operations. It helps an organization accom- • Environment.
plish its objectives by bringing a systematic, disciplined
• Ethics.
approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.11 • Health, safety, and security.
• Transparency.
As part of the risk assessment and audit planning pro-
• Working conditions and human rights.
cess, the CAE considers the CSR risks and whether to
include all or part of the processes in its audit universe 2. Audits of CSR programs related to each significant
and audit plans. The CAE also should also be aware of stakeholder group affected by CSR activities that are
CSR issues in order to respond to any special requests by further refined into audits of these subjects at the
the board or senior management. corporate office, subsidiaries, and with external busi-
ness relationships. Stakeholders could include:
Auditing
The internal audit activity may choose to evaluate the • Customers.
CSR programs as a whole and determine whether the • Employees and their families.
organization has adequate controls to achieve its CSR
• The environment.
objectives. This option would likely require a significant
allocation of resources because of the broad scope of the • Neighboring communities.
subject. Such an audit is not likely to be done to develop • Shareholders.
the first opinion on CSR controls; rather the CAE would
• Suppliers.
develop a one- to three-year plan to obtain sufficient and
reliable information about the various elements of CSR Some of these stakeholder groups could include non-
within the organization. governmental organizations (NGOs) and activist groups
that represent the stakeholders or specific interests.
There are many approaches to auditing CSR controls,
including: 3. Bundling of subjects, such as the:
• Workplace: employer of choice, health and safety,

1. Separate audits of each element of CSR that are fur-
environmental management practices, diversity
ther refined into audits of these subjects at the cor-
and equality, training and development, ethics, gov-
porate office, subsidiaries, and with external business
ernance, and human rights.
relationships. Management processes can be evalu-
ated based on internal control or quality frameworks, • Marketplace: product quality and safety, responsi-
ble advertising and sales, responsible supply chain
11. Emphasis added for this paper.
12. Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control–Integrated Framework, www.coso.org.
13. International Organization for Standardization, www.iso.org.
management, product development and testing would be developed based on a risk assessment and results
practices, product stewardship, disclosure prac- in action items for control improvements.
tices, and privacy.
• Environment: responsible air, water, land, waste, Consulting
animal, and energy use and regulatory compliance. The internal audit activity may consult on project design
and implementation for CSR programs and reports or
• Community: philanthropy, local economic support,
serve as an adviser on CSR governance, risk management,
capacity building, volunteerism, and stakeholder
and internal controls.
engagement.
4. Audits of the internal controls over risk management,

recording, measuring, and reporting of CSR activities
Audit Considerations
within each department or function that is covered in Use of Audit Opinion
the audit plan. For example, there would be a standard Senior management or the board may choose to publicly
audit program section with audit steps that cover the state that it relies on its internal controls to produce reliable
same CSR tests in every audit performed. At the end information for public reporting. Management might also
of 10 audits, the CAE would have 10 sample results ask the CAE to provide a statement for the CSR report,
of CSR activities on which to base an overall conclu- saying that the internal audit activity has provided assur-
sion of internal control operating effectiveness. ance on the information contained in the report. The CAE
should ensure that the elements of the Formulating and Ex-
5. Assurance audits of public disclosures of financial pressing Internal Audit Opinions Practice Guide have been
and nonfinancial information related to CSR or any reviewed before issuing an opinion about the organization’s
of the individual CSR elements. Most organizations CSR program. Caution should be taken to manage liability
with stated CSR objectives provide public informa- associated with the opinion, if it is published.
tion about their approach and results. These audits
could be undertaken with the CAE as project man- Independence and Objectivity
ager, coordinating internal and external resources as Often, the internal audit activity may have an operating
required, or an internal auditor could be assigned to role within the CSR processes, giving rise to concerns
an assurance team coordinated by another senior per- about its independence and objectivity. For example, in-
son within the organization. ternal auditing may be responsible for investigations and
6. Audits of third parties for contractual compliance, in- tracking results for allegations of fraud or violations of
cluding compliance with CSR terms and conditions. law. Information about fraud and noncompliance inves-
A proactive role may also be taken. For example, in- tigations may form part of the CSR program and reports
ternal auditors could perform a review as part of a to the public. This would put the auditors in the position
supplier pre-qualification process. of evaluating and reporting on their own activities, which
threatens their independence and objectivity. However,
Upon completion of the CSR-related audit programs, an this could be overcome by using independent auditors to
opinion of the overall CSR controls can be developed. assess this portion of the CSR program and reports.
Facilitating Skills and Body of Knowledge

The internal audit activity may facilitate a management The IPPF provides authoritative guidance for the perfor-
self-assessment of CSR controls and results. This process mance of internal auditing, including proficiency and due
professional care requirements. If the internal audit activ- Such benefits can include internal auditor training oppor-
ity conforms to the IPPF, then it is qualified to undertake tunities, the lessons learned on the project stay within the
the roles listed above. organization, and the internal auditor can assist the team
in accessing information more efficiently due to his or her
Any internal audit activity that collectively lacks the ap- knowledge of the organization.
propriate skills and knowledge should not undertake an
internal audit, facilitation, or consulting engagement. The organization should evaluate the pros and cons of
Specific CSR competencies could include expertise in using nongovernmental organization (NGO) members
regulations, management systems and best practices re- on an audit or assurance team, including: more time will
lating to the environment,14 health and wellness, safety, be required to train external parties on the audit process;
science and engineering, ethics, community investment, external parties might not be bound by confidentiality
employment, human rights, working conditions, and gov- standards; by their nature, NGOs have special interests,
ernance. Language and other communication skills are and their representatives will not be unbiased and objec-
also important considerations when discussing sensitive tive and may not prioritize issues the same as the organi-
issues, such as working conditions or ethics violations, zation; a report that includes a positive statement from
and for designing surveys. an NGO is deemed to be more credible; new ideas and
fresh observers might help the organization better un-
If the internal audit activity is involved in facilitating a derstand the CSR issues and activities; the NGO would
control self-assessment, facilitation skills are critical. gain a better understanding of the organization.
Auditors who have the IIA’s Certification in Control Self-
Assessment designation can be an asset to this process. CSR Maturity Model
The CAE considers the organization’s CSR maturity level
Resources at the time of the internal audit, and the level to which the
The number of auditors and skills required depends on organization hopes to progress. This information will help
the audit approach. the auditor frame recommendations as audit findings or as
ideas to help move the organization toward its goal.
Teaming internal auditors with internal subject matter
experts is useful; it provides an opportunity for the audi- A sample maturity scale could include:
tors to learn the subject, and for other employees to learn
more about a logical approach to evaluating process effec- 1. Senior management and the board have not initiated
tiveness and internal controls. The subject matter experts any CSR objectives or strategies.
should not be members of the area being audited. They 2. The CSR strategy is “to comply with laws and con-
could be employees in similar departments of subsidiaries tractual commitments.”
or other divisions.
3. Ad hoc recognition of specific CSR risks and strat-
If the organization hires an external service provider to pro- egies to meet objectives exists in some divisions of
vide assurance on CSR reports, the CAE should consider the organization. The organization’s goal is to exceed
the benefits of loaning a member to the assurance team. compliance requirements. Reporting is selective.
14. Such as those having the Certified Professional Environmental Auditor (CPEA) designation.
4. A set of integrated and managed CSR strategies and evaluation and bonuses, leadership training, and stakeholder
performance measures — reported to the public — relations)? What takes precedence when there are compet-
with governance processes is in place. ing objectives?
5. CSR is a primary feature of the organization’s mis-
Is the organizational structure of CSR responsibili-
sion, principles, and performance measures. Formal
ties and authority documented for all elements? Are
reports are produced for the public, stakeholder
responsible positions staffed with experienced and quali-
engagement processes are in place, and CSR fac-
fied individuals?
tors are embedded into business decision-making
processes throughout the organization, including at
Is the organization signatory to voluntary standards
board levels.
of performance? Why or why not? Were the standards
Internal Audit Program adopted by management, or by the board? How are they
integrated into management practices? How is compli-
Development (Considerations) ance monitored in the organization? Standards include:
The following discussion (and information contained in • AccountAbility AA1000 — principle-based standards
Appendices A and B) include concepts to help internal that provide the basis for improving the sustainability
auditors think through various subjects when developing performance of organizations.
the audit program. Because the audit scope and program • Amnesty International — focused on protecting and
are based on a risk assessment for the organization, not all championing human rights worldwide.
of the concepts within this guidance will be relevant.
• CERES Principles — 10 principles covering major
Consider the proliferation of CSR information that environmental concerns.
the organization produces. Are the messages consis- • Clean Clothes Campaign (Code of labor) — intended
tent and current in public reports, speeches, and hand- to improve working conditions in the garment and
outs/presentation materials and on the organization’s sportswear industries.
Web sites? How is disclosure and updating controlled? • Electronic Industry Code of Conduct (EICC) — stan-
Are the messages relevant to the organization’s mission, dards for labor, health, safety, and the environment in
goals, objectives, and commitments? manufacturing and throughout the supply chain.
• European Commission’s Eco-management and Audit
Has the organization made a decision to report in-
Scheme (EMAS) — public reporting on environmen-
formation consistent with reporting standards, such
tal performance.
as the Global Reporting Initiative? Can the informa-
tion be compared with the organization’s competitors or • Eurosif Transparency Guidelines.
industry peers? • Ethical Trading Initiative — strives to improve the
lives of workers in global supply chains.
How are CSR strategies and priorities established
• Base Code — best practices in codes of conduct.
and communicated? How are they integrated into deci-
sion making and approval processes (e.g., budget, appropria- • Fair Labor Association (FLA) — seeks to improve
tions, mergers, acquisitions, and joint ventures, performance working conditions.
• Workplace code of conduct. • Rio Declaration on Environment and Development —

• Global Reporting Initiative 2002 — introduces inter- the right of people to development. Signatories have
national reporting guidelines. the responsibility to safeguard the environment.
• Global Sullivan Principles of Social Responsibility — • Social Accountability 8000 — a global standard to
principles that encourage companies to support eco- make workplaces more humane.
nomic, social, and political justice. • United Nations.
• Greenhouse Gas Protocol Initiative, International • Universal Declaration of Human Rights and related
Chamber of Commerce. instruments.
• Business charter for sustainable development. • UN Global Compact.
• Green-e — independent consumer protection pro- • Climate Neutral Network.
gram for the sale of renewable energy and green- • Principles for Responsible Investing.
house gas reductions in the retail market.
• Voluntary Principles on Security and Human Rights —
• Imagine Canada — Advancing knowledge and rela- principles on human rights and security in mining
tionships to foster effective and sustainable chari- and petroleum industries.
table and nonprofit organizations.
• Worldwide Responsible Apparel Production
• Ethical Program — fundraising and financial account- (WRAP) — 12 standards of labor practices, factory
ability standards. conditions, and environmental and customs com-
• Caring Company Program — providing guidance and pliance.
standards that help members become better corpo-
rate citizens. How does the organization manage compliance with
local and international laws?
• Interfaith Center on Corporate Responsibility (ICCR).
• International Organization for Standardization (ISO) Does your organization meet standards required
14000 — a family of standards for creating environ- for inclusion in environmental or social investment
mental management systems. funds? Why or why not? Screening agencies include:
• International Labor Organization Conventions (ILO • Dow Jones Sustainability World Index (DJSI).
Tripartite Convention) — 28 recommendations con-
• Morningstar Socially Responsible Investment Index.
cerning multinational enterprises and social policy.
• FTSE 4 Good Global Indexes.
• Kyoto Protocol.
• EIRiS – Ethical investment Research Services.
• OECD Guidelines for Multinational Enterprises —
addressing a comprehensive range of responsibil- • Jantzi Social Index.
ity issues.
Can the CSR — especially environmental or human
• Natural Step framework and principles. rights — activities of external business relationships
• Convention for combating bribery. impact the organization’s reputation? If yes, then
• Principles of corporate governance. contracts should include CSR performance terms and con-
ditions, and compliance should be tested. The internal audit
• Responsible Care initiative (chemical industry). activity may be involved in such tests or receive reports on
results of tests done by others.
Can the CSR activities of customers impact the orga- • Has the organization asked for feedback? What
nization’s reputation? Would the organization refrain from did the feedback say, and what was the organiza-
selling products to organizations with irresponsible or unsus- tion’s response?
tainable practices? Does it provide programs to encourage or
facilitate customers to be responsible with its products?
How well controlled are the mechanisms put in place

for capturing CSR information and developing and
reporting performance metrics? What spreadsheets
are used, and are there adequate spreadsheet controls to
ensure complete, accurate, and timely information?
If your organization publishes a CSR report:
• Is the disclosure process for CSR results as rigorous as

for financial reporting?
• Does it contain clear messages that are aligned with
the company’s vision and commitments?
• Does it contain balanced reporting (i.e., the good with
the bad), performance measures, and trends?
• Does it help the reader understand the issues and the
organization’s accountabilities?
• How does the organization’s CSR program compare
with others?
• Has it competed for awards, such as the Asian CSR
Awards, the Arabian CSR Awards, China CSR
Awards, and the International Community Service
Award given by the U.S. Chamber of Commerce
Business Civic Leadership Center? Has it received
recognition in other benchmarking programs, such
as the Human Rights Campaign’s Corporate Equal-
ity Index, Institutional Investors’ “Top Shareholder-
Friendly Companies, Global Challenges Index, Pe-
gasus Corporate Social Responsibility Awards, TERI
Corporate Awards, or Ethisphere magazine?
• How good is the CSR report? Has it been bench-
marked by independent organizations such as PR
News’ CSR Awards, Carbon Disclosure Leadership
Index, CERES, or Stratos Inc.?
Appendix A – • Is there a process for disclosure of conflicts of interest?

Are acceptance or constraints documented and condi-
Auditing by Element tions monitored?
• What methods exist to provide ethics advice, train-
With this audit approach consider how compliance with
ing, and awareness to help stakeholders understand
laws, regulations, and contractual obligations is managed
the organizations principles, processes, and practical
for all elements.
application of the Code of Conduct?
Governance Are ethics program performance measures and metrics
• Do board members have sufficient and relevant infor- maintained and reported? Are benchmarking and trend
mation to fulfill their roles and responsibilities? Board analysis performed and reported to senior management
terms of reference, agendas, and minutes are sources and the board?
of information about board governance and oversight
responsibilities and monitoring of CSR. The board Environment
information package management sends before meet- • Are social and environmental impact assessments
ings shows the type of information provided for board performed:
members to monitor CSR activities. Do budgets ap- • As part of risk management programs?
proved by the board have sufficient resources allocated
• As part of investment decision-making and approval
to achieve CSR objectives?
processes?
• Do the board and management report reliable financial
• Do they include conflict risk?15
and nonfinancial information to stakeholders?
• Are life cycle value assessments done for assets and
Ethics product development?
• Anti-corruption is the most important ethical issue in a • Are green or socially responsible procurement pro-
CSR context. Is anti-corruption included in the organi- cesses in place? How are they monitored?
zation’s risk assessment, code of conduct, and policies?
• Are incidents reported, managed, and resolved appro-
• Is there a reporting system for stakeholders to report priately?
concerns or allegations of ethics violations? Are there
• Are environmental program performance measures
appropriate protection systems in place for those who
and metrics maintained and reported? Are benchmark-
raise concerns?
ing and trend analysis also performed and reported to
• Are there investigation standards or protocols in place senior management and the board?
to gather evidence, manage cases, and protect the rights
• Are results of audits — internal, regulator, and ex-
of parties involved in the investigation? Is the process
ternal — reviewed and commitments monitored and
credible? Are root cause analysis and improvement of
tracked to completion?
controls part of the resolution process? Is disciplinary
action appropriate and consistent? • Are reduce, reuse, and recycle concepts integrated
into operations?
15. Conflict risk exists when war, civil unrest, labor unrest, or activism could impede achievement of the organization’s goals and objectives, including CSR goals. In a conflict risk impact
assessment an organization analyzes the characteristics of a proposed investment and the potential impacts (negative and positive, intended and unintended) it may have on tensions in
the region or community.
• Do risk assessments consider air (greenhouse gas and • Are incidents reported, communicated, managed, and
other emissions, climate change, and carbon footprint), resolved appropriately? Are the results of incident inves-
water (use and effluent), land (reclamation, recreation- tigations and resolution appropriately reported with the
al spaces, garbage and disposal of hazardous wastes, recognition of personal information protection?
conservancy, and stewardship), and animals (product • Are health and safety program performance measures
testing, ecosystems, and biodiversity)? and metrics maintained and reported? Are benchmark-
• Do environmental emergency plans exist? Do these ing and trend analysis also performed and reported to
plans balance privacy of personal information with ac- senior management and the board?
cess to information for employees and the community? • Are results of audits — internal, regulators, and exter-
• Does the organization calculate its carbon footprint nal — reviewed and commitments monitored and
and does it have offset programs in place? If so, are tracked to completion?
calculations accurate and complete, and are the strate- • Are stakeholders provided sufficient information to
gies effective? make informed decisions about health and safety risks?
Transparency • Are stakeholders provided sufficient training and equip-

• Does the organization manage stakeholder informa- ment to work safely?
tion appropriately, such as balancing privacy of per- • Are product safety (during product life cycle) and recall
sonal information with access to information? programs in place?
• Is accountability a clearly stated principle, and is it • Is there a comprehensive product stewardship program
demonstrated by balanced reporting of the failures as in place to evaluate and minimizes the risks of products
well as successes? from cradle to grave (life cycle value assessment)?
• Are there effective disclosure controls to ensure fair,
consistent, and timely reporting? Human Rights and Work Conditions
• Does compensation consider fair pay, living wages, and
• Does the organization follow appropriate accounting job opportunities?
standards?
• Does the organization have a security program, and
• Do stakeholder engagement policies and practices exist? has it considered human rights when developing and
• Are CSR related policies available to the public (e.g., implementing security measures, especially in con-
on the Web site)? flict regions?
• Is there a crisis management plan that includes com- • Are there effective policies and programs to prevent
munication with stakeholders? and manage discrimination and harassment?
• What labor standards are in place (child labor, forced la-
Health, Safety, and Security bor, working hours, employment equity, and diversity)?
• Are health and safety risk assessments performed as
part of investment decision-making, product develop- • Does the organization accept freedom of association
ment, and approval processes? Do they include conflict and the right to collective bargaining for employees?
risk and workplace violence? • Is there a conflict risk and impact assessment? How is
• Are health and safety management programs included conflict managed? Is there a crises management plan?
in procurement processes? How are they monitored?
• Is there a complaint management system for issues to

be reported, investigated, and resolved?
• Are there socially responsible procurement practices?
If so, how are they monitored?
Community Investment
• What philanthropy (donations and charitable giving)
practices are in place, and how are decisions made?
An example would be adopting voluntary “giving” stan-
dards, (e.g., the Imagine program in Canada, where sig-
natories donate 1 percent of profits each year).
• Have the cost and benefits of foundations been con-
sidered (e.g., tax benefits, focused giving)?
• Has the organization distinguished the cost/benefits of
sponsorships compared with philanthropy?
• Does the organization encourage volunteerism? What
programs are in place?
• Does the organization facilitate employee or cus-
tomer philanthropy, or match employee or customer
philanthropy?
• Are social and environmental impact assessments per-
formed? How are community stakeholders engaged in
these assessments?
• Is there a complaint management system for the com-
munity to report issues or concerns? Are the com-
plaints managed and resolved effectively?
• Are there quotas or similar efforts to support local,
indigenous, or special interest suppliers?
• Have strategic partnerships been established within
the community?
• How does the organization contribute to local eco-
nomic development (e.g., purchasing in the local,
regional markets; local education and training to
reduce unemployment; and supporting infrastructure
that the presence of the organization may stress)?
• How are community investment strategies measured,
monitored, and evaluated? By whom?
Appendix B – Auditing by The Environment

(See Appendix A – Environment)
Stakeholder Group • Environmental stakeholder engagement/Nongovern-
When using this audit approach consider how compliance mental organization (NGO) engagement.
with laws, regulations and contractual obligations is man-
aged for all elements. Customers
• Facilitation of employee and/or customer philanthropy,
Employees and Their Families or matching employee or customer philanthropy.
• Volunteerism. • Product safety and recall processes.
• Facilitation of employee or customer philanthropy, or • Privacy of personal information; access to information.
matching employee or customer philanthropy. • Discrimination and harassment.
• Health, safety, and security in the workplace and at • Involvement of, and respect for, indigenous people.
home.
• Fair and image-appropriate advertising (transparency
• Fair and prompt payment, living wages, and job oppor- and honesty).
tunities.
• Anti-corruption (fair competition, bribery, and conflict
• Discrimination and harassment. of interest).
• Labor standards (child labor, forced labor, working • Complaint management system; customer satisfaction.
hours, and employment equity and diversity).
• Freedom of association and the right to collective Suppliers
bargaining. • Fair rates and payment terms.
• Privacy of personal information; access to information. • Local capability building programs.
• Involvement of, and respect for, indigenous people. • Privacy of personal information; access to information.
• Conflict risk and impact assessment methodology. • Discrimination and harassment.
• Complaint management systems. • Involvement of, and respect for, indigenous people.
• Alternatives to layoffs and downsizing. • Anti-corruption (bribery, conflict of interest, and fair
competition).
• A clear business model for outsourcing work.
• Complaint management system; supplier satisfaction.
• Availability of a resource or referral for confidential
counseling. • Incorporation of social, health, safety, and environ-
mental values into purchasing decisions.
• Employee satisfaction.
• Supplier audits, including review of CSR terms and
• Religion in the workplace.
conditions.
Neighboring Communities
• Philanthropy (donations and charitable giving).
• Safe operations and emergency response programs.
• Community relations, community satisfaction.
• Local capability programs.
• Partnering to build skills and cost effectiveness with
local businesses.
• Local economic support programs.
• Privacy of personal information; access to information.
• Involvement of, and respect for, indigenous people.
• Conflict risk and impact assessment methodology.
• Complaint management system.
• Community quality of life projects.
• Striving to balance the impacts of the business and
create communities where the employees and their
neighbors are happy to live. This could include parks,
charitable giving campaigns, etc.
• Community education.
Shareholders and Investors

• Optimize effects of donations and sponsorships.
• Tax effectiveness, compliance with laws.
• Branding opportunities.
• Privacy of personal information; access to information.
• Accountability and transparency.
• Disclosure controls — to the public and to investors.
• Compliance with securities regulations, including good
governance.
• Long-term sustainability strategies.
• Compliance with accounting standards.
• Shareholder rights.
• Anti-corruption (bribery, conflict of interest, misrepre-
sentation, and compliance).
Appendix C – determine who its primary stakeholders are, those with

whom engagement is important for the organization.
Stakeholder Theory
“Companies that build strong, mutually beneficial rela-
In the traditional view of the firm — the shareholder view tionships with stakeholders also tend to enjoy enhanced
(the only one recognized in business law in most coun- financial performance.” 16
tries) — the shareholders or stockholders are the owners
of the company, and the firm has a binding fiduciary duty
to put their needs first to increase value for them.
In older input-output models of the corporation, the firm

converts the inputs of investors, employees, and suppliers
into usable (salable) outputs that customers buy, thereby
returning some capital benefit to the firm. By this model,
firms only address the needs and wishes of those four par-
ties: investors, employees, suppliers, and customers.
However, stakeholder theory argues that there are other

parties involved, including governmental bodies, political
groups, trade associations, trade unions, communities,
associated corporations, prospective employees, prospec-
tive customers, and the public at large. Sometimes even
competitors are counted as stakeholders.
Each stakeholder has some special interest that will be

impacted by the operations of an organization, and there-
fore will make social or legal demands of it. How the
organization chooses to act will influence the response of
the stakeholder. Building relationships and mutual confi-
dence is an important consideration for sustainability.
Stakeholder engagement is a formal process for manag-

ing relationships. Engagement theory suggests that man-
agement is in a better position to act if it first listens
to the issues and ideas of stakeholders, takes the best
course of action that is aligned with its principles and
objectives, involves the stakeholders in monitoring prog-
ress, and reports periodically. The organization should
16. Source: Boston College, as quoted on http://www.interpraxis.com/stakeholderengagement.htm.
Appendix D –
Additional Resources
For more information on ethics and compliance audits,
measurements and metrics, see the Open Compliance and
Ethics Group at www.oceg.org.
The Global Reporting Initiative is one standard for report-

ing to the public: www.globalreporting.org.
IIA Guidance
• Practice Guide: Auditing External Business Rela-
tionships.
• Practice Guide: Formulating and Expressing Internal
Audit Opinions.
• PA-2130.A1-2: Evaluating an Organization’s Privacy
Framework.
• “Managing the Business Risk of Fraud, A Practical
Guide.”
• IIA seminar: Evaluating Organizational Ethics.
• IIA seminar: Evaluating Social Responsibility and Sus-
tainable Development.

Lynn C. Morley, CIA
Carlos Reyes Balza, CIA
Practice guides embody an IIA statement to as-
those not in the internal audit profession, in un- The copyright of this practice guide is held by The
cant issue. Practice guides are part of The IIA’s

247 Maitland Ave. F: +1-407-937-1101
– Practice guide
eValuatINg ethICs-related
PrograMs aNd aCtIVItIes
JuNe 2012
IPPF – Practice guide
evaluating ethics-related Programs and activities
Table of Contents
Executive Summary ........................................................................................ 1

Introduction ................................................................................................... 2
Definitions ..................................................................................................... 2
Responsibilities for Ethical Climate ................................................................ 3
Considerations for an Audit of Ethics ........................................................... 10
Appendix A: Examples of Audit Tools in Evaluating Organizational Ethics .... 13

Appendix B: Pertinent Strongly Recommended Guidance ............................. 27
Authors and Reviewers ................................................................................ 29
executive summary • Evaluating the design, implementation, and effec-

tiveness of the organization’s ethics-related objec-
A strong ethical culture is the foundation of good gover- tives, programs, and activities.
nance. An ethical culture is created through a robust ethics • Providing assurance that ethics programs achieve
program that sets expectations for acceptable behaviors in stated objectives, key risks are effectively managed,
conducting business within the organization and with ex- and controls continue to operate effectively.
ternal parties. It includes effective board oversight, strong • Providing consulting services to help the organiza-
tone-at-the-top, senior management involvement, organi- tion establish a robust ethics program and improve
zation wide commitment, a customized code of conduct, its effectiveness to the desired performance level.
timely follow-up and investigation of reported incidents,
consistent disciplinary action for offenders, ethics train- • Serving as a role model and ethics advocate. Internal
ing, communications, ongoing monitoring systems, and an audit has a high level of trust, integrity, and com-
anonymous incident reporting system. petence to advocate appropriate conduct to comply
with the organization’s legal, ethical, and societal
IIA Standard 2110.A1 requires that the internal audit responsibilities and promote appropriate ethics and
activity evaluate the design, implementation, and effec- values.
tiveness of the organization’s ethics-related objectives, • Serving as a subject matter expert on ethics-related
programs, and activities. This Practice Guide provides issues and as a member of the organization’s ethics
guidance for evaluating program effectiveness and com- council (or equivalent).
pliance; it includes a potential audit approach, proce- • Acting as a catalyst for change, promoting and
dures, tools, and techniques. It is developed based on recommending enhancements for the organization’s
both Mandatory and Strongly Recommended Guidance governance structure and practices.
incorporated in The Institute of Internal Auditors’ (IIA’s)
International Professional Practices Framework (IPPF). There are numerous governance and ethics-related regu-
lations around the world. Violations may create significant
Key Roles of Internal Audit in Organizational reputation impairment and heavy penalties for an orga-
Governance nization. Internal audit can provide substantial value by
assuring senior management and the board that effective
As stated in IIA Standard 2110: Governance, internal ethics programs are in place and operating effectively.
audit is responsible for assessing the governance process
and recommending improvements to promote appropriate Target Audience
ethics and values within the organization.
Ethics is an integral part of organizational governance.
The internal audit activity may fulfill these responsibilities The four pillars of organizational governance — the board,
by: management, internal audit, and external audit — along
with other stakeholders such as regulators, shareholders,
• Assessing the state of the organization’s ethical cli- business partners, suppliers, and service providers, should
mate and the effectiveness of its strategies, tactics, be knowledgeable about matters concerning an organiza-
communications, and other processes in achieving tion’s business ethics.
the desired level of legal and ethical compliance.
INtroduCtIoN Pertinent IPPF Elements

While the International Standards for the Professional Prac-
This guide provides internal auditors with a framework tice of Internal Auditing (Standards) in its entirety is appli-
for the evaluation of ethics-related programs and activi- cable to evaluating ethics programs, there are some stan-
ties. Because various countries and cultures have differ- dards, Position Papers, Practice Advisories, and Practice
ent views of what is considered ethical behavior, the guide Guides that are directly related to assessment of ethics-
provides a range of examples, definitions, and principles related objectives, programs, and activities. Some require
that are not meant to be comprehensive but to provide a advance considerations during engagement planning (e.g.,
platform on which internal auditors can build their evalu- conducting work under attorney-client privilege or deter-
ations. The principles apply equally to the public and pri- mining reliance on work performed by other internal and
vate sectors. external assurance providers). One standard warrants par-
ticular attention.
IIA’s Code of Ethics for Internal Auditors —
Practice What We Preach Pertinent Mandatory Guidance
While this Practice Guide focuses on internal auditors’ 2110 – Governance
evaluation of the design, implementation, and effective-
The internal audit activity must assess and make appro-
ness of an organization’s ethics-related objectives, pro-
priate recommendations for improving the governance
grams, and activities, it is appropriate to highlight the
process in its accomplishment of the following objectives:
importance of ethics for internal audit professionals. The
IIA’s Code of Ethics underlies the conduct of internal au-
• “Promoting appropriate ethics and values within the
dit work and compliance with the Code is mandatory.
organization….”
Compliance with the Code of Ethics is mandatory be- 2110.A1 – The internal audit activity must evaluate
cause of the trust placed by internal and external stake- the design, implementation, and effectiveness of the
holders in the internal audit profession and the activity. organization’s ethics-related objectives, programs,
Internal audit must be viewed as a role model and an and activities.
advocate of strong ethics. Compliance with the IPPF is Pertinent Strongly Recommended Guidance
consistent with other professional bodies’ requirements to
Refer to Appendix B for a listing of pertinent non-manda-
follow a strong standards framework.
tory guidance.
The IIA’s Code of Ethics is applicable to the internal au-
dit activity and its staff. Internal auditors must apply the deFINItIoNs
principles to all aspects of their work and their relation-
ships with the audit committee, management, employees, Definitions – One Size Does Not Fit All
and other stakeholders. Noncompliance can result in dis- To facilitate the use of this Practice Guide, we offer gen-
ciplinary actions, including expulsion from The IIA and eral definitions of some key terms. It is important to keep
withdrawal of the Certified Internal Auditor (CIA) des- in mind that business ethics vary across countries, cul-
ignation. tures, and organizations. Internal audit should gain an in-
depth understanding of its organization’s business culture
and context by:
• Reviewing the organization’s mission, vision, stra- the board and executives. Therefore, it is not likely
tegic plan, code of conduct, allegation reporting to match the personal ethics of everyone.
system, related regulatory and privacy requirements, Directors and employees are required to follow these
etc. principles; business partners, suppliers, contractors, and
• Researching the culture of the various countries third-party service providers may also be required to abide
where the organization’s business units are located by them.
and the countries with which they do business (e.g.,
the Internet has extensive information on, for exam- Definition of Values
ple, doing business in Brazil, Russia, India, China, (from Dictionary.com)
and in all the major countries around the world).
Values are an integral part of an organization’s code of eth-
• Confirming internal audit’s understanding with man-
ics. “Values are the beliefs of a person, social groups or or-
agement and employees.
ganizations; they are rules by which one makes decisions
• Reflecting on insights from past business issues and about right and wrong, should and should not, good and
audit findings. bad.” They also tell us which are more or less important,
• Reviewing applicable legislation and guidelines. which is useful when we have to trade off meeting one
value over another.
Values are the embodiment of what an organization stands

Definition of Ethics for, and should be the basis for the behavior of its mem-
(from Thomson Gale Encyclopedia) bers. They state either an actual or an idealized set of
“Ethics is the branch of philosophy that defines what is criteria for evaluating options and deciding what is ap-
good for the individual and for society and establishes the propriate, based on long experience. An organization may
nature of obligations or duties that people owe themselves publish one set of values (stated values) that is very dif-
and one another.” ferent from the values that actually guide organizational
behavior (operating values). When there is a disconnect, it
Elements of Business Ethics may be difficult to determine what is “acceptable.” Staff
quickly learn the operating values, or they don’t survive for
Organizations will set their own standards of ethical con- long in the organization. To the extent operating values
duct. These standards should be complementary to the differ from stated values, the organization will not only
ethical standards of the country or region. Key elements suffer from doing things less effectively, but also from the
of business ethics include: cynicism of its employees who will not trust its leadership.
• Business ethics is a major element of governance.

• Business ethics relates to principles that are con- resPoNsIbIlItIes For the
sidered desirable by the majority of management or ethICal ClIMate
governing bodies in conducting business.
Board of Directors or Oversight Group
• Business ethics are a consensus of what is deemed
acceptable behavior for a particular organization. The board of directors or oversight group oversees the
This consensus position is derived from compro- ethical climate, ensures management has sound ethics-
mises between key constituents, and is agreed to by related objectives and programs, and needs assurance that
these programs are effective in creating the desired ethi- fidentially report alleged violations of the code of
cal climate throughout the organization. Internal audit is conduct, policies, and other acts of misconduct.
best positioned to give that assurance because it experi- (e) Regular declarations by employees, suppliers, and
ences the ethical climate directly but is independent from customers that they are aware of the requirements
management and charged with identifying weaknesses for ethical behavior in transacting the organiza-
and opportunities for improvement. The chief audit ex- tion’s affairs.
ecutive (CAE) should ensure the board understands this
(f) Clear delegation of responsibilities to ensure that
and also that internal audit has the competence to provide
ethical consequences are evaluated, confidential
that assurance.
counseling is provided, allegations of misconduct
are investigated, and case findings are appropri-
Senior Management
ately reported.
Senior management has primary responsibility for promot-
(g) A designated person (e.g., an ombudsman) to
ing and exemplifying ethical behavior. The importance of
whom employees can go for advice on how to deal
tone-at-the-top cannot be overstated. Ethics programs,
with and whether to report an ethical issue.
no matter how well designed and executed, will struggle
to accomplish their purpose if employees see executives (h) Ethics training for all employees, suppliers, and
behave with questionable ethics or accept such behavior major customers, including exercises in ethical
from others. decision-making with scenarios like those employ-
ees might encounter in their jobs.
The specific methods management uses to promote ethi- (i) Positive personnel practices that encourage every
cal behavior will vary according to the organization’s en- employee to contribute to the ethical climate of
vironment and maturity. For a small organization with the organization.
frequent interaction between senior management and
(j) Regular surveys of employees, suppliers, and cus-
employees, leadership by example and informal commu-
tomers to determine the state of the ethical climate
nication may be more influential. A larger, more mature
in the organization.
entity with an enhanced, highly effective ethical culture
will likely include most or all of the following: (k) Regular reviews of the formal and informal pro-
cesses within the organization that could potential-
(a) A formal code of conduct, which is clear and ly create pressures and biases that would under-
understandable, and related statements, policies mine the ethical culture.
(including procedures covering fraud and corrup- (l) Regular reference and background checks as part of
tion), and aspirational views. hiring procedures and prior to engaging in a con-
(b) Frequent communications and demonstrations tract with a customer or supplier including integ-
of expected ethical attitudes and behavior by the rity tests, drug screening, and similar measures as
influential leaders of the organization. applicable.
(c) Explicit strategies to support and enhance the ethi- (m) Compensation practices that do not inadvertently
cal culture with regular programs to update and encourage bending the rules to achieve perfor-
renew the organization’s commitment to an ethical mance targets.
culture. (n) Appropriate punishments for unethical behavior
(d) Several easily accessible ways for people to con- regardless of the perpetrator (e.g., not making
an exception for a powerful executive or the best cilitation fees” and conflict of interest disclosures.
salesperson) and publication of the punishment
internally by whatever legally feasible means are Internal Audit
available.
Internal auditors should take an active role in support of
(o) A designated chief ethics officer to act as coun- the organization’s ethical culture. They should be trusted
selor of executives, managers, and others and as within the organization and possess a high level of in-
champion within the organization for “doing the tegrity and the skills to be effective advocates of ethical
right thing.” conduct. They should have the competence and capacity
to appeal to the enterprise’s leaders, managers, and other
Operating Management employees to comply with the legal, ethical, and societal
Members of operational management are responsible for responsibilities of the organization.
promoting, exemplifying, and evaluating ethical behavior
in their areas of responsibility. Just as tone-at-the-top is The IIA’s Code of Ethics helps ensure that internal audi-
of paramount importance for the organization as a whole, tors “practice what they preach.” The CAE should ensure
each manager’s attitude and behavior around ethics is that all audit work is performed in full compliance with,
centrally important to the ethical subculture in his or her and meets the intent of, the Code.
areas.
The CAE may assume proactive roles such as becoming
Other Employees a nonvoting member of an internal ethics council or con-
ducting ethics training sessions. The internal audit activ-
All people associated with the organization share respon- ity may also play roles that relate to both promoting and
sibility for the state of its ethical culture. Because of the assessing ethics, such as hosting the organization’s whis-
complexity and dispersion of decision-making processes tleblowing hotline or conducting fraud investigations. Be-
in most enterprises, each individual should be encouraged fore accepting such roles the CAE should consider how
to be an ethics advocate, whether the role is delegated of- they would affect the perception of internal audit within
ficially or merely conveyed informally. the organization.
Third-party Service Providers, Suppliers, Internal Audit’s Role in Assessing

Agents, and Customers the Ethical Climate
While external to the organization, these parties may act as At a minimum, the internal audit activity should periodi-
agents of the organization or otherwise be associated with cally assess the state of the organization’s ethical climate
it. This is especially true with outsourced services like IT, and the effectiveness of its strategies, tactics, communica-
accounting, payroll, customs clearance, and research and tions, and other processes in achieving the desired state.
development. The organization can be held accountable
for unethical actions taken on its behalf by these parties. Assessment methods include:
At a minimum, such relationships pose a reputation risk.
Certain relationships could result in legal liabilities, pen- • An entitywide review of ethics-related policies and
alties, and fines. To protect itself, the organization should processes.
incorporate into contracts with these parties a require-
• Audits of specific ethics-related functions, such as
ment that they comply with its pertinent policies such as
the compliance function.
those related to accepting or offering gifts, bribes, or “fa-
• An entitywide employee survey. Many internal auditors meet this challenge by using
• An audit project employee survey. self-assessment — not asking employees to assess
their own ethics, which may be unreliable, but ask-
• Informally including ethical climate in entitywide ing them to assess the ethical behavior of others or
and audit project risk assessments and in the execu- the ethical climate created by management at higher
tion of audit projects. At a minimum, this should be levels. For this sort of self-assessment to be effec-
done on every audit project. tive, employees must feel safe from retribution.
Each of these methods is discussed further below. Re- • Ethics is a sensitive area, and self-assessment in-
gardless of the assessment method, the following main volves subjectivity. To reduce resistance to negative
points apply: results, internal auditors should get management’s
buy-in for the audit, including the assessment crite-
• When auditors evaluate the “design, implementa-
ria and evaluation methods. If management agrees
tion, and effectiveness of the organization’s ethics-
to the testing approach and methods, internal audit
related objectives, programs and activities,” an
will be in a stronger position when it comes time
important and challenging attribute is effectiveness.
to report the factual outcomes of the agreed-upon
For example, consider an ethics training program.
tests.
Internal auditors can test the design of a training
program by comparing it to “best practice” models. There may be situations where the board or over-
For example, well-designed ethics training includes sight group desires an audit of the ethical climate
exercises in which attendees are given a concrete but senior management does not, or when senior
situation and have to make an ethical decision. The management desires the audit but certain operating
instructor gives feedback on thought processes and managers do not. In these cases, the CAE must be
which decision is most consistent with the organiza- certain of full support from the top, use evaluation
tion’s values. methods that emphasize confidentiality to protect
employees who report honest opinions or wrongdo-
Internal auditors can test the implementation of a ing by others, gather as much objective evidence as
training program by checking the qualifications of possible, anticipate the resistance that might arise,
the instructors, noting the percentage of employees and develop strategies to overcome that resistance.
who have taken the training, examining attendee The CAE should also consider whether the resis-
evaluations, quizzing employees later to see if they tance is a symptom of an underlying ethical issue.
retained what they learned, etc.
• Because of its sensitivity and because the ethical cli-
These are all useful tests, but the training program mate does not lend itself easily to a traditional audit
is a waste of resources if it does not achieve the rating system, internal auditors might consider using
desired effect. To evaluate the effectiveness of ethics a maturity model. For each attribute to be tested,
training, internal auditors should determine whether the board and/or senior management can choose the
employees have internalized the ethical values and desired level of maturity, and internal audit can de-
are likely to apply them when faced with an ethical termine the actual level through testing. The review
decision. will then identify both strengths and gaps, and give
a more complete and balanced picture of the ethical
climate than would an audit opinion. Appendix A Guide. Not all of these methods will be appropriate for ev-
provides one example of such a maturity model. ery organization, but auditors can determine which ones
are appropriate for their own company, recommend any
There are various ways of assessing the ethical climate. that are not being used but should be, and assess those
Five are discussed herein. that are being used.
Entitywide Review of Ethics-related Audits of Specific Ethics-related Functions

Policies and Activities Specific ethics-related functions and activities (e.g., the
Most organizations communicate ethical values in formal compliance function, ethics training, and hotline) might
statements like a code of ethics, mission statement, or be evaluated as part of an entitywide review or as a stand-
values statement. Additionally, ethical values are often ex- alone audit project.
pressed in function-specific policies like sales, customer
service, lending, and investment policies. Entitywide Employee Survey
Policy statements express the organization’s desired ethi-
Internal auditors might review major policies to identify cal values. Ethics-related activities are the means by
the statements of ethical values they contain. They could which management attempts to instill these values into
then consider: the organization’s culture. But excellent statements and
formal activities are quickly subverted when employees
• Are ethical values consistent among policy state-
observe questionable behavior in their superiors, or when
ments?
peers tell them, “That’s the theory, but this is how it’s
• Are any policies lacking ethics statements? Should really done,” or “This is what you have to do if you want
ethics statements be added to be consistent with to get ahead.”
other statements?
• Are the ethics statements consistently expressed To determine the effectiveness of ethics-related activities,
enabling employees to have a cohesive, easily under- internal auditors must measure the ethical climate itself.
stood picture of the expected behavior? One good method for doing this is an entitywide employee
survey. Appendix A presents an example that some audit
• Are the statements specific and concrete enough to
departments have used, adapting it as needed.
be meaningful?
In many organizations, management sponsors a similar
Ethical values that are consistent, comprehensive, and
survey, often administered by a third party that specializes
concretely expressed are a good starting point for the or-
in such surveys. If this is the case, internal auditors can
ganization. For the internal audit activity, they will be the
use the results of management’s survey, but they should
high-level criteria for the remainder of the audit, and for
first evaluate the survey process to determine how much
other assessment methods.
reliance may be placed upon it. In particular, they should
determine whether the survey includes meaningful eth-
Ethical statements must be communicated to employ-
ics-related questions and whether it is administered in a
ees and integrated into their everyday behavior if they are
way that encourages candid and meaningful responses.
to be effective. Internal auditors might consider the list
of methods by which senior management can promote
ethical values that was presented earlier in this Practice
Whether evaluating management’s survey process or de- easy-to-understand language. Consider “field-test-
veloping their own, internal auditors should consider the ing” the survey by giving it to several people indi-
following: vidually and asking what they think each statement
means.
• Employees must feel safe from retribution for giving • Consider language and cultural issues when using a
honest responses. This is usually accomplished by survey in more than one country.
making the survey confidential, and the promise
of confidentiality must never be violated. Using an • Results, together with action plans addressing is-
outside vendor that guarantees confidentiality can sues raised by the survey, should be communicated
also be an advantage. to employees, so they know that management is
listening to them and working to improve the ethical
• Ethical issues are rarely yes/no issues; there are al- climate.
ways degrees. The most common way of structuring
this kind of survey is to have statements like “Senior If internal audit develops its own survey, there are two ad-
management of my business unit demonstrates high ditional considerations:
ethical values” and have employees choose their
level of agreement on what is called a Likert scale: • It is important to get buy-in from the board and/or
Strongly agree, Agree, Disagree, Strongly disagree, or senior management. They must want the informa-
Don’t know (or not applicable). tion and be willing to address issues that might be
• Ask for specific comments. Many surveys ask raised.
employees to explain why they disagree or strongly • Consider having legal review the survey to consider
disagree with any of the survey statements. liability issues. If legal is likely to be overly cautious,
• Consider the level of confidentiality needed. For be prepared to discuss the risk versus the potential
example, surveys typically ask in what area the em- benefit of the survey.
ployee works. Comparisons of one area to another
are valuable, but the smaller the area the less con- If an effective entitywide survey is in place, whether spon-
fidential the responses will be. Some surveys give sored by the internal audit activity or management, inter-
employees the option of giving their names; most do nal auditors should consider using the results for:
not. The level of confidentiality needed will differ
from one organization to another. • Following up on responses that suggest a weakness
in the ethical climate to determine with corroborat-
• It is often meaningful to stratify responses by level
ing evidence whether this weakness in fact exists
(e.g., senior management, middle management, and
and, if so, have the root cause and possible correc-
staff) or location and compare the differing per-
tive actions been identified?
ceptions, as long as doing so does not compromise
confidentiality. • A macro-level risk assessment. A risk universe item
in which employees perceive a weak ethical climate
• Consider the length of the survey. The longer the
is clearly at higher risk than others.
survey the more information it will yield but the
lower the response rate is likely to be. The optimum • A micro-level risk assessment. Survey results should
length will vary from one organization to another. be considered in planning each audit project if they
can be broken down to that level. If they point to a
• Survey statements should be phrased in simple,
specific ethical weakness, testing should be done to
prove or disprove its existence. Informally Including Ethical Climate

• Identifying the root cause of exceptions. These may in Entitywide and Audit Project Risk
be traceable to weaknesses in the ethical climate. Assessments, and in the Execution
• Supporting audit findings. When audit findings and
of Audit Projects
survey results are consistent, both are strengthened. Although less effective than the formal assessment meth-
ods discussed previously, internal auditors should at a
An appropriately administered employee survey produces minimum consider their own perceptions and gather any
objective evidence of employee perceptions, and these available evidence about the ethical climate when assess-
perceptions are the most reliable indicator of the actual ing risk. This is true both when identifying audits to per-
state of the ethical climate. After all, the ethical climate is form and when assessing risk during each audit project.
what employees think it is, not what senior management
wants it to be. At the same time, employee perceptions When performing audits, internal auditors should be alert
are subjective. Internal auditors should provide the appro- to ethical concerns. In addition, they might include ques-
priate perspective about the strength and limitations of tions on ethics during interviews, such as the greatest
employee surveys when reporting results. To the extent ethical challenge faced by the employee in the past.
possible, internal auditors should identify the root cause
of negative perceptions and work with management to de- Considerations in Reporting Ethical Concerns
velop corrective action plans. Reporting ethical violations or concerns, especially when
they involve senior management, can be extremely sensi-
Audit Project Employee Survey tive. The CAE may want to consult the following Practice
A similar, typically briefer survey can be used during audit Advisories and Practice Guides for guidance:
projects. Appendix A is an example of a survey used by
an organization on every audit project. The considerations • PA 2400-1: Legal Considerations in Communicating
discussed previously apply to audit project surveys as well. Results (May 2010).
Some additional considerations are: • PA 2410-1: Communication Criteria (January
2009), #13 on separate reporting to the board.
• Surveys can accurately measure employee percep-
• PA 2440-2: Communicating Sensitive Information
tions, but perceptions are not always accurate.
Within and Outside the Chain of Command (May
Results should not be reported as audit issues
2010).
unless they have been validated with more tangible
evidence. They should, however, be reported to the • PA 2440.A2-1: Communications Outside the Orga-
responsible managers because managers need to nization (May 2010).
know how employees are feeling, and the knowledge • PG: Interaction With the Board (August 2011).
might allow them to correct misperceptions.
• Online survey tools allow you to survey 100 percent
of the population and easily compile and analyze the
results.
• Allowing managers to add survey items of concern
to them will increase buy-in and might yield valu-
able audit information.
CoNsIderatIoNs For aN audIt employees and management resolutions.

• Mission statement.
oF ethICs • Strategic planning documents (including corporate
Given the range of components to ethics-related objec- objectives) or values statements.
tives, programs, and activities, the CAE will need to deter- • Sales, customer service, lending, or investment poli-
mine which components to include in the internal audit cies.
plan, based on assessment of applicable risk, the levels
• Employee-related documents such as individual
of assurance required, the level of maturity of the ethics-
employee contracts, or collective bargaining agree-
related programs, and the approach for conducting the
ments.
review(s). For example, the CAE may decide to review
the ethics program in its entirety or to undertake a rolling • Induction procedures for new staff.
program of reviews focusing on different aspects of the • Ethics policies for electronic media.
ethics program over a number of years. Once the scope
• Job descriptions for ethics coordinators.
and objectives of the audits are determined, the process
for conducting the reviews is the same as for any other • Results and action plans on periodic employee sur-
individual audit. veys on ethics-related questions.
At this stage, if there have not been any recent employee
The Audit Process surveys, it may be appropriate to conduct one to gain an
The following summarizes the points raised throughout understanding of the organization’s ethical culture and
this Practice Guide: highlight areas of concern/high risk and the control en-
vironment.
Planning
As discussed earlier in this guide, due consideration
Review approved documents to gain an understanding of
should also be given to pertinent IPPF elements such as
the organization’s ethics programs, including:
the Standards and related Position Papers, Practice Advi-
sories, and Practice Guides. The extent and timing of the
• Applicable legislation (e.g., government directives to
use of these materials will be dependent on the scope, ob-
public sector agencies).
jectives, and issues arising throughout the internal audit
• Organization structure of ethics and compliance review. It will also be useful for the audit team to review
functions and reporting relationship to the board of best practices on implementing and auditing ethics-relat-
directors. ed programs as well as breaches reported in the news.
• Code of conduct/ethics for employees, agents, third-
party service providers, and suppliers. Assess Risks and Controls
• Annual/periodic reporting requirements to the board Using the information gathered in the planning phase,
of directors on compliance status of the codes of assess the risks associated with the organization’s ethics
conduct, violations, and corrective action plans. programs.
• Annual attestation of compliance with the code of
• Identify inherent risks.
conduct by the employees.
• Based on the documented policies and procedures,
• Annual disclosure of conflict of interest filed by the
identify whether controls are designed to effectively
mitigate identified risks. regulations, disclosure of conflicts of interest, integ-

• Based on the results of the employee survey, identify rity of information and use of company properties,
areas for further review. For example, management litigation and investigations; integrity in the market-
actions do not appear to meet the expected tone- place, such as gifts, entertainment, and gratuities,
at-the-top; there are gaps between documented fair competition, insider trading; and integrity in
controls and actual practices. society, such as avoiding inappropriate payments to
government officials and compliance with export
• Develop a test plan to provide adequate levels of as- regulations; integrity toward the environment, such
surance in accordance with the scope and objectives as compliance with environmental principles and
of the review. regulations; accountability for compliance; and pen-
alties for violations?).
Undertake Testing
There is a range of tools and techniques that may be Implementation
used to test the organization’s ethics program. This is an The focus of this testing will likely be dependent on the
area likely to be more sensitive and emotive than other maturity level of the organization’s ethics-related objec-
audit topics so the approach should be tailored with this tives, programs, and activities (e.g., it may not be possible
in mind. The need for confidentiality and sensitivity is to assess the effectiveness of the communications plan
heightened. of an immature ethics program). However, areas of focus
may include:
Keeping in mind Standard 2110.A1, audit testing would
likely focus on the following areas, whether in a compre- • The communications plan (e.g., have communica-
hensive audit or at various stages of a rolling audit pro- tions been made as designed, to the intended audi-
gram: ence, and at the right frequency?).
Design • Training/awareness programs (e.g., how many

employees have attended? How did they rate the
The design of the organization’s ethics-related objectives, training?).
programs, and activities will have been identified dur-
ing the planning phase of the review. While a high-level • Processes for raising concerns within assigned areas
risk assessment will have been undertaken of the design, and escalation processes to management outside the
detailed assessment should now be undertaken. As with reporting chain.
other audits, the most significant issues are often related • Processes for handling ethics-related issues (e.g., are
to weaknesses in design. These may include: employees using the methods available for reporting
such issues? Are reported issues resolved?).
• Applicability of the code of conduct (e.g., who has • The process for attesting compliance by employees
to comply: the board of directors, employees, joint (e.g., are employees required to attest their under-
venture employees, agents, third-party service pro- standing of and compliance with the code of con-
viders, suppliers?). duct?).
• Comprehensive coverage of the code of conduct • The process for reporting and resolving conflicts of
(e.g., does the code cover: integrity in the work- interest (e.g., are employees required to disclose
place, such as compliance with health and safety potential and actual conflicts of interest? Is manage-
ment responsible for working with the employees to Reporting

resolve reported conflicts? Are there documented
As per the requirements of Standard 2440: Disseminating
approvals on conflict resolution?).
Results, the CAE must consider the design of the report
and decide to whom and how it will be disseminated. As
Effectiveness stated earlier in this Practice Guide, because of its sen-
Internal auditors should assess how successful the orga- sitivity and because the ethical climate may not lend it-
nization has been in achieving the objectives of its ethics- self easily to a traditional audit rating system, a maturity
related programs and activities. Testing in this area may model may be the most effective form of reporting.
include:
• A review of ethical issues reported by employees

(e.g., are actions taken to resolve issues appropriate?
Is retribution ever taken against those who report
issues?).
• A review of illegal or unethical acts discovered by
means other than employee reporting (e.g., is the
number of acts excessive? Is there a pattern indicat-
ing an underlying root cause?).
• An assessment of methods used to measure the ef-
fectiveness of the ethics-related programs and activi-
ties (e.g., how are they reported and to whom? Are
actions taken and lessons learned from this report-
ing?).
• A review of the results of the employee survey con-
ducted earlier (or at this stage if not conducted ear-
lier) and employee interviews that indicate whether
employees understand and are committed to the
organization’s ethics-related objectives.
• An assessment of the operating effectiveness of the
key controls — identified during the risk assessment
process — that serve to mitigate risks that impact
ethics-related programs.
• An assessment of the accuracy and comprehensive-
ness of periodic reports to the board of directors.
aPPeNdIX a:
Maturity Model 1
Examples of Audit Tools in Evaluating Ethics is a sensitive area that does not easily lend itself to
Organizational Ethics traditional audit rating systems. Rather than give an audit
This attachment presents three examples of audit tools opinion on ethics, it might be less inflammatory and more
that might be useful in evaluating organizational ethics. useful to assess the maturity of the various elements of
They are not the right tools to use for every organization. the ethical climate using a maturity model. The follow-
If used, they should only be used as starting points, with ing compliance and ethics program maturity model is an
appropriate tailoring to each organization. example.
attrIbute IMMature rePeatable deFINed Mature World Class

1. Code of Ethics (How • There is no formally • A comprehensive
• A Code of Ethics has • Outside counsel • Specific compli-
effectively does documented code of been developed,Code of Ethics ex- reviews the Code of ance policies are in
the Code outline ethics. ists, was approved
but it may not be Ethics as appropri- place to support and
management’s • In general, there by the Board and is
comprehensive or ate to ensure it provide additional
expectations are no other means current. reviewed every two remains current and guidance on key
regarding ethical of communicating • Experienced employ- to three years to appropriate. components of the
conduct?) management’s ex- ees generally under- determine what up- • The Code of Ethics Code of Ethics.
pectations regarding stand management’s dates are needed. is reviewed annually • Periodic focus
ethical conduct. expectations regard- • All employees must and updated as nec- groups and/or sur-
ing ethical conduct, sign off annu- essary. veys are conducted
but new employees ally that they comply • All employees must with a representative
may not have any with the Code of complete annual sample of employees
way of determining Ethics. questionnaires that to assess their un-
those expectations. • New employees must ask more probing derstanding of the
sign a document questions regarding Code of Ethics and
asserting that they compliance with the their perceptions on
have read and un- Code of Ethics. level of compliance
derstand the Code. throughout the orga-
nization.
1
Excerpted from Copyright 2009, Internal Auditing: Assurance and Consulting Services, 2nd Edition, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue,
Altamonte Springs, Florida 32701-4201 U.S.A. Reprinted with permission.

2. Culture and • The organization • There are percep- • There are percep- • Compliance and • Periodic surveys or
Consistency seems indifferent to tions that compli- tions that senior ethics are topics at focus groups are
(How does the compliance. ance is important. management takes organization and conducted to assess
organization perceive • The program was • Program was de- compliance seriously department-level the perception of
management’s developed by very veloped to address and “walks the talk.” meetings, ensuring compliance culture
commitment to few individuals with legal ramifications of • The program was a consistent cultural and make adjust-
compliance?) no outside input. noncompliance. developed with input message. ments if needed.
• There are percep- • Discipline generally from Legal, Human • The program was • Periodic input is so-
tions of disciplinary is left to the discre- Resources, and In- developed with input licited from employ-
inconsistencies and tion of business and ternal Audit. from various em- ees to help improve
“playing favorites.” department manag- • Human Resources is ployee groups. the program.
• People are promoted ers and, as such, is consulted to make • Disciplinary deci- • Disciplinary actions
without formal con- not consistent. sure disciplinary ac- sions involve an ap- are reviewed by an
sideration of ethical • While ethical con- tions are appropriate propriate mix of Hu- independent group
conduct. duct seems to be and compliant with man Resources, Le- (e.g., Internal Au-
considered, it’s not a regulations. gal, and Compliance dit) to support the
• Noncompliance personnel to ensure consistency of such
events are typi- part of job descrip- • Job descriptions
tions. include expectations appropriateness and actions.
cally learned from consistency.
complaints versus • Noncompliance for ethical conduct. • People are recog-
monitoring or audit events generally are • Many employees • Job descriptions and nized for demon-
activities. reported timely, but raise compliance interviews formally strating ethical
there are few efforts questions before cover ethical con- conduct.
to report events they become a prob- duct. • Employees make
before they become lem. • Employees feel recommendations for
noncompliant. empowered to raise improving the com-
questions about pliance program.
compliance matters.

3. Awareness (How • EEs generally are • EEs are aware pro- • There is widespread • Annual training • Communications
aware are employees aware that the program exists, went EE awareness of the reinforces the pro- occur on a regular
[EEs] and outside gram exists, but they through training program. gram, with individual basis to remind/
stakeholders of are not sure how once and intuitively • All EEs went through modules delivered in update employees
the compliance to get information know some, but not training in the last more depth. on program expecta-
program and its about it. all, requirements of three years. • EEs know who all of tions.
requirements?) • EEs aren’t familiar the program. the risk area officers • The program is part
• EEs know who the
with specific require- • EEs know who the chief compliance of- are and generally of external sustain-
ments. chief compliance ficer and compliance understand the re- ability reporting
• EEs don’t know offi cer and/or com- manager are. sponsibilities of each conducted annually.
who the compliance pliance manager are, risk area.
manager or risk area but not the risk area • EEs know about
officers. the risk area officer • Compliance with the
officers are. positions, and may program and ethical
• Stakeholders know • Stakeholders as- know one or two if expectations are
nothing about the sume a program ex- they work with them, covered in contracts
program. ists, but don’t know but they don’t know with vendors.
anything about it or most of them.
where to get infor-
mation. • Stakeholders are
aware the program
exists and can find
references on the
company website.

4. Structure and • There is no formal • A compliance of- • A compliance struc- • Reporting by risk • An integrated moni-
Accountability compliance struc- ficer has been ture has been estab- area officers to the toring plan has been
(How effective ture. designated, but the lished, with account- compliance manager implemented that
is the structure • Independent over- responsibilities of ability assigned to is timely and consis- involves the compli-
for managing sight is nonexistent the position are not risk area officers. tent. ance manager, risk
the program or ad hoc. well-developed. • Oversight is defined • The applicable Board area officers, and
and enforcing • Oversight and moni- from a senior man- committee receives Internal Audit.
accountability?) • Accountability is not
defined. toring are inconsis- agement and board quarterly updates on • Sensitive or signifi-
tent and reactionary. perspective. compliance matters. cant investigations
• Investigations are ad are conducted in
hoc. • Accountability is • Monitoring is es- • Internal Audit has a
broadly understood tablished, including consistent plan for accordance with the
• Compliance risks are but not formally Internal Audit and auditing all compli- protocol by individu-
not understood. documented. others. ance risks. als trained in foren-
sic and investigation
• Investigations are • There is a focal point • A formal inves- techniques.
typically conducted for determining who tigation protocol
by appropriate per- should conduct in- outlines appropriate • Compliance risk
sonnel. vestigations. resources to use scenarios have been
(internal vs. exter- identified, assessed,
• Compliance risks are • Compliance risks and mapped to com-
generally understood and scenarios are nal), documentation
requirements, and pliance controls and
but not formally documented. are updated at least
documented. how investigations
are closed. annually.
• A formal compliance
risk assessment has
been completed.

5. Process Automation • There are no formal • There are some com- • Compliance controls • Compliance controls • The company has
and Integration compliance controls pliance controls and and procedures are and procedures are established an inte-
(How effectively are or procedures, procedures, but they well-documented an integral part of grated GRC program
compliance controls although many em- are not consistent and standardized business processes. that ensures compli-
and processes ployees know intui- across the organi- across the organiza- • Many compliance ance risks are man-
standardized, tively how to act. zation or formally tion. controls address key aged consistent with
integrated, and • There is no formal documented. • Compliance controls compliance risks the organization’s
automated?) protocol for employ- • There is limited test- and procedures are as part of a gov- risk appetite.
ees or outsiders to ing of the controls tested periodically ernance, risk, and • Event management
report suspected and procedures in to identify gaps or compliance (GRC) software is used to
noncompliance place. weaknesses. view of the program. ensure all key data
events. • Employee generally • An external hotline • There are multiple is gathered and the
• Information/data re- understand that they is in place to which avenues through resolution of events
lated to compliance can contact Legal or employees or out- which employees or is documented in a
is not available. Human Resources if siders can report outsiders can report complete and con-
they suspect a non- suspected noncom- suspected noncom- sistent manner.
compliance event. pliance events. pliance events, and • GRC software is
• Information/data re- • Some compliance all follow a consis- used to provide in-
lated to compliance controls are inte- tent protocol for tegrated information
events is difficult to grated with other gathering informa- on the program.
compile. business processes tion on the event and • Integrated technol-
and automated to escalating it. ogy routines are run
the extent existing • A consistent test on a regularly sched-
systems supports it. plan is used to uled basis to prevent
• Some standard re- ensure compliance or detect timely
ports are prepared controls and proce- potential compliance
related to compli- dures operate effec- events.
ance events. tively.
• Technology is used to
aid in the identifica-
tion and investiga-
tion of compliance
events.

6. Goals and Metrics • No formal goals or • While goals and • Broad compliance • Specific compliance • All employees have
(How is success metrics exist or are metrics are not for- goals are established goals are integrated individual compli-
of the compliance contemplated. malized, employees and communicated. into the annual goal ance goals.
program measured?) generally understand • Broad metrics ex- setting process for • Metrics are integrat-
that the absence of ist to measure the each risk area. ed into the overall
compliance events is nature and frequency • Metrics are estab- performance mea-
indicative of a suc- of compliance lished for each risk surement process.
cessful program. events. area.
Entitywide Employee Survey 2 The following is an example of a survey some internal au-
The ethical climate is not always what executives or the ditors have used effectively. It is not focused exclusively
board want it to be or think it is. The ethical climate is on the ethical climate. Instead, the ethical issues are em-
what employees experience. Therefore, an entitywide sur- bedded into a broader survey.
vey should provide a reasonably accurate measure of the
ethical climate. By identifying gaps between the desired
and actual ethical climate, a survey can lead to action
plans to bridge those gaps and thereby add great value to
the organization.
YOUR DEPARTMENT _________________________
In what state is your office located? ........................................... IL IN MI OH WI OTHER
SAMPLE ENTITYWIDE EMPLOYEE SURVEY

(PLEASE CIRCLE THE ONE RESPONSE THAT BEST DESCRIBES YOUR REACTION TO EACH STATEMENT.)
KEY: SA = Strongly Agree A = Agree D = Disagree SD = Strongly Disagree DK = Don’t Know
SECTION I: Company Culture

The company culture sets the tone of an organization, influencing the control consciousness of its people. It is the founda-
tion for all other components of internal control. (PLEASE CIRCLE ONE FOR EACH.)
1. Senior management of my business unit demonstrates high ethical standards. SA A D SD DK
2. Senior management of my business unit strives to comply

with laws/regulations affecting the company. SA A D SD DK
3. My supervisor complies with laws/regulations affecting the company. SA A D SD DK
4. The performance targets in my work unit are realistic and obtainable. SA A D SD DK
2
Excerpted from Copyright 2010, Best Practices: Evaluating the Corporate Culture, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida
32701-4201 U.S.A. Reprinted with permission.
5. Employees in my work unit have the knowledge, skill,

and training to perform their job adequately. SA A D SD DK
6. My business unit learns from its mistakes. SA A D SD DK
7. Personnel turnover has not impacted my work unit’s

ability to effectively perform its function. SA A D SD DK
8. Integrity of financial and operational results always

takes priority over reporting acceptable performance targets. SA A D SD DK
9. Employees in my work unit are treated fairly and justly. SA A D SD DK
10. Employees in my work unit do not have to take

unnecessary safety risks to perform their job. SA A D SD DK
11. If you disagree/strongly disagree with any of the above questions on Company Culture,
why do you feel this way?
_________________________________________________________________________________________
_________________________________________________________________________________________
_________________________________________________________________________________________
SECTION II: Goals and Obstacles

Organizations identify and analyze potential obstacles to the achievement of their goals to determine how to manage these
obstacles. (PLEASE CIRCLE ONE FOR EACH.)
12. For the coming year, I am accountable for defined, measurable objectives. SA A D SD DK
13. I have sufficient resources, tools, and time to accomplish my objectives. SA A D SD DK
14. In my department, we identify barriers and obstacles and

resolve issues that could impact achievement of objectives. SA A D SD DK
15. In my department, the processes supporting new products, services,

technology, and other significant changes are adequately managed. SA A D SD DK
16. My business unit adequately considers customer impacts

in its decisions and actions. SA A D SD DK
17. If you disagree/strongly disagree with any of the above questions on Goals and Obstacles,
_________________________________________________________________________________________
_________________________________________________________________________________________
_________________________________________________________________________________________
18. In your opinion, what are the primary business/financial risks facing your business unit?
_________________________________________________________________________________________
_________________________________________________________________________________________
_________________________________________________________________________________________
SECTION III: Policies and Procedures

Policies, procedures, and other safeguards help ensure that objectives are accomplished.
(PLEASE CIRCLE ONE FOR EACH.)
19. The policies and procedures in my work unit allow me to do my job effectively. SA A D SD DK
20. Employees who steal from the company (physical property, money, information,
time) will be discovered. SA A D SD DK
21. Employees who steal from the company and are discovered
will be subject to appropriate consequences. SA A D SD DK
22. Employees who break laws and regulations affecting

the company will be discovered. SA A D SD DK
23. Employees who break laws and regulations affecting the company
and are discovered will be subject to appropriate consequences. SA A D SD DK
24. If you disagree/strongly disagree with any of the above questions on Policies and Procedures,
_________________________________________________________________________________________
_________________________________________________________________________________________
_________________________________________________________________________________________
SECTION IV: Information and Communication

Pertinent information must be identified, captured, and communicated in a form and time frame that enables people to
carry out their responsibilities. (PLEASE CIRCLE ONE FOR EACH.)
25. Our information systems provide management with timely

reports on my unit’s performance relative to established objectives. SA A D SD DK
26. Mechanisms and incentives are in place for me to provide

recommendations for process improvements. SA A D SD DK
27. The interaction between senior management and my work

unit enables us to perform our jobs effectively. SA A D SD DK
28. The communication across departmental boundaries within

my business unit enables us to perform our jobs effectively. SA A D SD DK
29. The communication across business unit boundaries enables

people to perform their jobs effectively. SA A D SD DK
30. I have sufficient information to do my job. SA A D SD DK
31. Senior management at XXX Corporate is informed and aware

of my business unit’s actual performance. SA A D SD DK
32. A communication channel exists for reporting suspected improprieties. SA A D SD DK
33. Persons who report suspected improprieties are protected from reprisal. SA A D SD DK
34. If I report wrongdoing to my supervisor, I am confident

that the wrongdoing will stop. SA A D SD DK
35. If you disagree/strongly disagree with any of the above questions on Information and Communications,
_________________________________________________________________________________________
_________________________________________________________________________________________
_________________________________________________________________________________________
SECTION V: Evaluation and Feedback

Through evaluation and feedback processes, an organization assesses, tracks, and monitors its performance over time.
(PLEASE CIRCLE ONE FOR EACH.)
36. Information reported to senior management reflects

the actual results of operations in my work unit. SA A D SD DK
37. I have enough information to monitor vendor performance. SA A D SD DK
38. I have enough information to monitor customers’ satisfaction

or dissatisfaction (either internal or external). SA A D SD DK
39. External and/or internal customer feedback and complaints

are followed up timely and effectively. SA A D SD DK
40. The quality of output in my work unit is measurable. SA A D SD DK
41. Employees in my work unit know what actions to

take when they find mistakes or gaps in performance. SA A D SD DK
42. My supervisor reviews my performance with me at appropriate intervals. SA A D SD DK
43. I know what action to take if I become aware of unethical or fraudulent activity. SA A D SD DK
44. If you disagree/strongly disagree with any of the above questions on Evaluation and Feedback,
_________________________________________________________________________________________
_________________________________________________________________________________________
_________________________________________________________________________________________
45. I suspect/know that fraudulent activity is occurring in my work place. YES NO
If question 45 is answered YES, please complete the following.
45A. What is the activity referred to in question 45?

_________________________________________________________________________________________
_________________________________________________________________________________________
_________________________________________________________________________________________
45B. Did you report it? Yes / No (Please circle)
45C. If no, why not?

_________________________________________________________________________________________
_________________________________________________________________________________________
_________________________________________________________________________________________
(NOTE: If you wish to report any fraud, you may call the XXX Integrity Line at 1-800/xxx-xxxx)
Audit Project Employee Survey 3 dit project can also add value. The following brief survey is
As noted above, operating managers create ethical sub- used by a university on every audit project, and the results
climates within their own areas by their own words and are reported in every audit report. Local management is
actions. The sub-climate might not be consistent with the asked if they want to add any statements to the survey to
broader climate, so using an employee survey on each au- get feedback on issues of concern to them.
Employee Survey
“Management” refers to the department head/director and his/her leadership team if you work in an academic de-
partment or center, or to the dean and his/her leadership team if you personally work in or directly report to a dean
or dean’s office.
Strongly Agree Disagree Strongly N/A
Agree Disagree
1. Management demonstrates the importance of
integrity and ethical behavior to its employees. SA A D SD N/A
2. Management is open to employee suggestions to improve
productivity and quality. SA A D SD N/A
3. Management sometimes overrides university policies,
procedures, or work place rules (e.g., takes shortcuts
that are contrary to policy). SA A D SD N/A
4. Management has the right knowledge, skills,
and training to effectively perform its duties. SA A D SD N/A
5. Nonmanagement (support) staff has the right knowledge,
skills, and training to effectively perform its duties. SA A D SD N/A
6. Management effectively monitors and provides oversight
and direction for the activities in my unit. SA A D SD N/A
7. Management is concerned with and responsive to customer
feedback or suggestions. SA A D SD N/A
8. I understand workplace policies and rules and have an
effective resource for obtaining clarification of policies
when needed. SA A D SD N/A
9. Management has not effectively communicated my job duties
and responsibilities to me. SA A D SD N/A
3
Excerpted from Copyright 2010, Best Practices: Evaluating the Corporate Culture by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida
32701-4201 U.S.A. Reprinted with permission.
10. Management would take appropriate corrective action if

policy, procedure, or workplace rule violations were detected. SA A D SD N/A
11. I would be protected from retaliation if I report a
suspected violation. SA A D SD N/A
12. I am familiar with how to report violations of law or
policy, including the university’s confidential reporting line. SA A D SD N/A
Would you like to tell us anything else about the operations of your (college, department, center, or other term as
appropriate)?
_________________________________________________________________________________________
_________________________________________________________________________________________
_________________________________________________________________________________________
NAME (optional) ____________________________________
aPPeNdIX b: PA 2110-2: Governance: Relationship With Risk and

Control (April 2010)
Pertinent Strongly Recommended Guidance
PA 2110-3: Governance: Assessments (April 2010)
Pertinent Position Papers
Position Papers assist a wide range of interested parties, PA 2120-1: Assessing the Adequacy of Risk Management
including those not in the internal audit profession, in Processes (January 2009)
understanding significant governance, risk, and control is-
sues and delineating related roles and responsibilities of PA 2130-1: Assessing the Adequacy of Control Processes
internal auditing. Refer to: (January 2009)
Position Paper “The Role of Internal Auditing in Enter- PA 2130.A1-1: Information Reliability and Integrity (Jan-
prise-wide Risk Management” (January 2009) uary 2009)
Pertinent Practice Advisories PA 2240-1: Engagement Work Program (January 2009)

Practice Advisories assist internal auditors in applying the
Definition of Internal Auditing, the Code of Ethics, and PA 2400-1: Legal Considerations in Communicating Re-
the Standards and promoting good practices. Practice Ad- sults (May 2010)
visories address internal audit’s approach, methodologies,
and consideration, but not detailed processes or proce- PA 2440-1: Disseminating Results (January 2009)
dures. They include practices relating to international,
country, or industry-specific issues; specific types of en- PA 2440-2: Communicating Sensitive Information With-
gagements; and legal or regulatory issues. in and Outside the Chain of Command (May
2010)
PA 2010-1: Linking the Audit Plan to Risk and Exposures
(January 2009) PA 2440.A2-1: Communications Outside the Organiza-
tion (May 2010)
PA 2010-2: Using the Risk Management Process in Inter-
nal Audit Planning (July 2009) Pertinent Practice Guides (PGs)
Practice Guides provide detailed guidance for conducting
PA 2050-1: Coordination (January 2009) internal audit activities. They include detailed processes
and procedures, such as tools and techniques, programs,
PA 2050-2: Assurance Maps (July 2009) and step-by-step approaches, as well as examples of de-
liverables.
PA 2050-3: Relying on the Work of Other Assurance Pro-
viders (October 2010) PG External Business Relationship (May 2009)
PA 2060-1: Reporting to Senior Management and the PG Internal Auditing and Fraud (December 2009)
Board (May 2010)
PG GTAG – 13 Fraud Prevention and Detection in an
PA 2110-1: Governance: Definition (April 2010) Automated World (December 2009)
PG Evaluating Corporate Social Responsibility/Sustain-

able Development (February 2010)
PG Auditing Executive Compensation and Benefits (April

2010)
PG Auditing the Control Environment (April 2011)
PG Coordinating Risk Management and Assurance

(March 2012)
PG Maturity Model (TBD)
PG Organizational Governance (TBD)
authors:
Stephen Linden, CPA
Angelina Chin, CIA, CCSA, CRMA
James Roth, Ph. D., CIA, CCSA, CRMA
David Zechnich, CIA, CPA
Susan L. Rudolph
reviewers:
Steve Jameson, CIA, CCSA, CFSA, CRMA
guidance.

247 Maitland Ave. F: +1-407-937-1101
120954
Formulating and Expressing

Internal Audit Opinions
March 2009
Table of Contents
1. Executive Summary..................................................................................................1
2. Introduction.............................................................................................................1
3. Planning the Expression of an Opinion.....................................................................2
3.1 Expressing an Opinion......................................................................................2
3.2 Scope of Opinions.............................................................................................3
3.3 Establishing Suitable Criteria for the Opinion...................................................4
4. Scope of Work..........................................................................................................5
4.1 Evaluation of Results........................................................................................6
5. Use of Grades in Expressing an Opinion...................................................................6
5.1 Use of Negative (Limited) Assurance Opinion and “Informal” Opinions............7
5.2 Reliance on the Work of Others When Supporting an Opinion...........................7
5.3 Guidance From Regulators and Other Standard Setters...................................8
5.4 Other Legal Considerations..............................................................................8
Appendix A: Examples: Risk Ratings or Rankings.........................................................9
Appendix B: Examples: Micro and Macro Audit Opinion (Grading)..............................11
Appendix C: Macro-level Opinion (Example)...............................................................13
Appendix D: Related IPPF Guidance............................................................................14
1. Executive Summary • An opinion on the effectiveness of controls such as

budgeting and performance management, when such
Nature of this Guidance: This document provides practi- controls are performed in multiple subsidiaries and
cal guidance to internal auditors who wish to form and coverage comprises the majority of the organization’s
express an opinion on some or all of an organization’s gov- assets, resources, revenues, etc. (macro).
ernance, risk management, and internal control systems. • An opinion on an individual business process or activ-
ity within a single organization, department, or loca-
This guidance is not intended to represent all of the con- tion (micro).
siderations that may be necessary. Some of the related In- • An opinion on the system of internal control at a sub-
ternational Standards for the Professional Practice of Inter- sidiary or reporting unit, when all work is performed
nal Auditing (Standards) and other guidance documents in a single audit (micro).
related to this topic are provided in Appendix D.
• An opinion on the organization’s compliance with
Applicability policies, laws, and regulations regarding data privacy,
This guidance may be applicable to and useful for: when the scope of work is performed in a single or just
a few business units (micro).
• Chief audit executives (CAEs).
• Boards. 2. Introduction
• Executive and operating management.
The need for audit opinions and the ability of internal au-
• Other assurance providers (OAPs). diting to express them depends on several circumstances,
• Other professional and regulatory bodies. including understanding the needs of stakeholders; de-
termining the scope, nature, timing, and extent of audit
Background work required; ensuring there are sufficient resources to
Internal auditors are being asked by the board, manage- complete the work; and assessing the results of the work
ment, and other stakeholders to provide opinions as part performed.
of each individual audit report as well as on the overall
adequacy of governance, risk management, and control Stakeholder requirements for internal audit opinions, in-
within the organization. These requests may be for an as- cluding the level of assurance required, should be clari-
surance or opinion at a broad level for the organization as a fied by the CAE with senior management and the board.
whole (macro-level opinion) or on individual components
of the organization’s operations (micro-level opinion). Discussions with stakeholders may include:
• The value of the opinion to the stakeholders, includ-
Examples of macro- and micro-level opinions include:
ing (where appropriate) why it is being requested.
• An opinion on the organization’s overall system of in-
• The timing for issuance and type of the opinion(s).
ternal control over financial reporting (macro).
• The form of opinion to be provided (e.g., written or
• An opinion on the organization’s controls and proce-
verbal).
dures for compliance with applicable laws and regula-
tions, such as health and safety, when those controls • The level of assurance to be provided.
and procedures are performed in multiple countries • The period or point in time the opinion covers.
or subsidiaries (macro).
• The scope of the opinion sought (e.g., whether it require multiple projects to be completed.
should be limited to financial reporting, operational • Discussion and agreement with stakeholders (typi-
controls, or compliance with specified regulations). cally senior management and the board) on the cri-
• The criteria used in expressing opinions. teria that will be used in determining the opinion to
• The rating process to be applied in relation to indi- be provided.
vidual audit findings. • The need for careful planning and development of
• Potential users of the assurance beyond management an audit plan and approach that will provide the in-
and the board. ternal audit activity with sufficient, relevant evidence
to support the opinion. This approach may include
When issuing internal audit opinions, the CAE considers aggregating the results of previously completed au-
the potential impact to the organization if the report is dits to support the opinion, or identifying areas of sig-
likely to be distributed to outside users. In such circum- nificance and risk where audit evidence will need to
stances it would be appropriate to consult legal counsel, be completed or obtained to support the expression
particularly if “privileged information” is an important of the planned internal audit opinion. In addition,
factor. where multiple projects will be required to provide
the opinion, these projects should be identified and
3. Planning the Expression of included in the internal audit plan.
an Opinion
• The consideration of all related, planned projects (in-
cluding reliance on the work of others or self-assess-
ments), and allowing time for the final assessment.
In developing audit plans to support the expression of an
For example, rendering an opinion on inventory con-
opinion, there are a number of factors that the internal
trols in a global organization (e.g., audits in 30 inter-
audit activity needs to consider. These include:
national locations) will require extensive planning on
• The unique characteristics of macro-level versus scope coverage and the time to complete the work
micro-level opinions. Macro opinions generally before an opinion can be rendered.
are based on the results of multiple audit projects,
• Whether there are adequate resources and skills to
whereas micro opinions are typically based on the
perform all the work required to provide sufficient
results of a single audit project or a few projects per-
support for the opinion. If not, a determination is
formed over a limited period of time.
made whether to decline to express the opinion, or
• The nature of the opinion to be provided; specifically, to qualify the opinion (by excluding certain areas or
whether positive or negative assurance will be issued. risks from the scope of the opinion).
In general, more evidence and a broader scope of
• Discussions with management and communication
work are required for a positive assurance opinion.
of the internal audit plan, including the timing and
• The purpose and use of any special requests where scope of each project and the criteria that will be
an opinion will be rendered. used in determining the opinion to be provided to
• The nature and extent of audit evidence needed to management and, if appropriate, the board.
support the opinion to be provided and the time pe-
riod required to perform the work. This is especially
3.1 Expressing an Opinion
It is not uncommon for the internal audit activity to pro-
important for macro opinions, where the opinion may
vide opinions at both macro and micro levels, including
an opinion on the overall adequacy of the organization’s sufficiency of the audit procedures to find what should
policies, procedures, and processes to support gover- have been reasonably found by a prudent auditor.
nance, risk management, and internal controls. When
rendered, such opinions are generally in writing and will Positive assurance opinions provide the reader a high level
be of the highest value if they take the form of “positive as- of confidence and comfort in the reliability of the underly-
surance,” sometimes referred to as “reasonable assurance” ing information. As such, internal audit activities are often
opinions. The CAE is in the best individual to provide requested to provide such positive assurance opinions.
macro opinions given his or her position to obtain a perva-
An opinion can be qualified which may be useful in situ-
sive overview of micro-level audit results.
ations where there is an exception to the general opinion.
For example, the opinion may indicate that controls were:
Positive assurance (reasonable assurance) provides the “Satisfactory with the exception of accounts payable con-
highest level of assurance and one of the strongest types trols, which require significant improvement.”
of audit opinions. In providing positive assurance, the
auditor takes a definite position, which may be binary in 3.2 Scope of Opinions
nature; for example, that internal controls are or are not CAEs may be requested to render opinions at an overall
effective in the situation or that risks are or are not being level (macro) or on an individual audit assignment level
effectively managed. (micro). The following highlights distinctions between
the two.
Variations in expressing a positive assurance opinion may
include the use of grades, where the effectiveness of in- Macro Level
ternal controls or risk management is rated using a grad- While macro-level opinions are issued or provided at a
ing system. Common examples of a grading system in- point in time (e.g., on an annual basis), the supporting
clude the use of color coding (such as red-yellow-green) audit evidence is generally built-up over a period of time
or the use of a grading scale (such as 1 to 4). When such and based on the results of several audit assignments,
scales are used, they should have an agreed-upon and work performed by others, and informal evidence. A mac-
commonly understood meaning within the organization. ro-level opinion may evolve or change as the individual
assignments are completed and additional audit evidence
More guidance on the “Use of Grades” is provided in the
(including findings/exceptions) is obtained.
Appendices.
When expressing a macro opinion, the CAE considers
The expression of the opinion may also include informa- several factors:
tion about the direction of the opinion since a previous
• The purpose for which the opinion will be used.
audit. For example, the opinion may indicate that controls
or risk management are satisfactory, but their effective- • Whether the opinion can be rendered based on the
ness may have diminished since the prior audit period. audit period and testing timelines.
• A clear understanding of what the organization con-
A positive assurance opinion requires the highest level of siders “overall” satisfactory performance.
evidence. It implies not only whether controls/risk miti- • The organization’s risk appetite and the criteria for the
gation processes are adequate and effective, but also that opinion.
sufficient evidence was gathered to be reasonably certain • The sufficiency of audit work and audit evidence (in-
that evidence to the contrary, if it exists, would have been cluding the work of others and informal evidence) to
identified. The auditor takes full responsibility for the support the opinion requested.
On occasion, internal auditing may not be able to obtain various quality assurance groups within the organiza-
sufficient evidence (e.g., because of resource limitations) tion or work completed to meet regulatory require-
to support all the areas covered by a macro opinion. As a ments, each of which may have been performed us-
result, only a limited macro opinion may be possible; for ing different or varying assurance methodologies. In
example, an opinion on compliance with environmental such situations, it is imperative that the CAE evalu-
regulations may be limited by excluding an assessment ates the risk associated with utilizing the work of
with regulations governing waste disposal. The potential others and consider explaining this when expressing
for a limited opinion should be recognized as part of the an opinion.
planning process, so that stakeholders understand the
opinion will be limited. Micro Level
Opinions at the micro level are generally the result of an
Expressing an opinion at the macro level can be a complex individual audit assignment. Such an assignment may be
task. It may require establishing methodologies and plan- in relation to controls around a specific process, risk, or
ning for: business unit. The formulation of such opinions requires
consideration of the audit findings and their respective
• Aggregation and interpretation of findings from sev- ratings.
eral audits, some of which may have been completed
months before the opinion date. In such circumstanc- Micro opinions are typically less complex than macro
es the CAE will have to exercise due care to ensure opinions. Recent surveys indicated that most audit or-
consistent standards have been used in all audits to ganizations throughout the world issue micro-level audit
assess any findings and to draw conclusions. In ad- opinions, using a rating/grading system as part of express-
dition, follow-up on remedial action and subsequent ing their overall opinion. However, it was also noted that
events to the earlier audit should be considered. many audit organizations have not developed a formal cri-
• Methodologies for incorporating audit evidence de- teria framework against which to draw their conclusions.
veloped through less formal means. This may occur
since macro opinions are generally pervasive in na- In some organizations, where the auditor provides macro
ture and require a greater breadth of coverage. As opinions on risks and the organization as a whole, indi-
such, reliance on other types of assurance processes vidual assignment-level (micro) opinions may not be as
may be required. For example, the results of manage- important to senior-level stakeholders or the board be-
ment self-assessments and the consideration of in- cause they are mostly concerned with the overall macro
formal evidence (i.e., evidence that is not specific to opinion. In such instances, it is particularly important to
an audit engagement) from different sources might manage stakeholder expectations below this senior level
be utilized if the auditor believes them to be reliable. since stakeholders responsible for the audited areas will
Informal evidence may include the subjective assess- typically expect a report and an opinion on completion of
ment of internal auditing (e.g., based on visits to lo- the specific assignment.
cations and observations of operations), but reliance
on such evidence may be disclosed when expressing 3.3 Establishing Suitable
the macro opinion. Criteria for the Opinion
• Consideration of evidence that may have been ob- Auditors should have a means of measuring or judging the
tained through reliance on the work of others. This results and impact of matters identified on an audit. This
may include, for example, a review of the work of can be achieved through the development of a criteria
framework. Suitable criteria are factors that are relevant Such key corporate principles provide an agreed-upon
and appropriate to the particular characteristics of the au- framework against which conclusions can be reached and
dited organization and against which actual outcomes can an opinion expressed in a manner that is mutually under-
be objectively assessed. They focus, wherever possible, on stood by management and the internal auditors.
the results expected to be achieved by systems of internal
controls and ideally are established before the execution In the absence of such principles, it is recommended
of the overall audit plan. These criteria should be relevant, that internal auditing should not render an opinion, since
reliable, neutral, understandable, and complete. For ex- there is no frame of reference to objectively support the
ample, the aggregate of the observations allows the audit internal auditor’s conclusion.
team to form a conclusion against each audit objective
or on a process or function taken as a whole. The CAE
ensures there is an evaluation framework for this process.
4. Scope of Work
The nature and form of the opinion expressed depends
As part of the planning process, the basis for the opinion is on the scope of work performed and audit evidence gath-
discussed with various stakeholders using the criteria and ered. A key step in developing the scope is to design an
evaluation framework. This includes discussing specific audit plan that will result in sufficient, appropriate audit
objectives with key process owners, senior executives, and evidence that will allow the auditor to draw a conclusion
other stakeholders, including the board, as appropriate. on the results of audit work performed. When discuss-
It is important that management within audited organiza- ing the plan with key stakeholders, the CAE articulates
tions understand and accept these criteria and how they precisely what is included within the scope of work and
could impact them and their responsibility in relation to type of opinion to be rendered. This is important to com-
maintaining a strong internal control environment. municate to key stakeholders to avoid confusion, partic-
ularly around macro-level opinions.
In establishing suitable criteria, it is important for
the internal audit activity to determine whether the or- Consideration of the appropriateness of audit scope
ganization has established basic principles as to what is required for both micro- and macro-level opinions.
constitutes appropriate governance, risk management, However, with macro opinions this becomes more com-
and control practices. This would include: plex. Whether a macro-level opinion on governance, risk
• A clear articulation of the definition of control adopt- management, and control is possible will depend on the
ed or used by the organization; for example, has the completeness of the audit universe and the auditor’s cov-
organization adopted the COSO or CoCo model? erage of the universe. The expression of a macro-level
• Management’s understanding of what would con- opinion may take longer to complete as a result of the
stitute a satisfactory level of control. For example, extent of work that will need to be completed and the
satisfactory could mean that 90 percent (or another need to aggregate the results of several individual audits
acceptable percentage) of transactions within one that collectively will support the macro-level opinion.
control objective are conducted in accordance with
established control procedures; alternatively, it could Common elements included in defining the scope over
also mean that 85 percent (or another acceptable per- which the opinion applies are:
centage) of overall controls are working as intended. • Descriptions of the portions of the organization
• A clear articulation by management of its risk toler- being covered, whether the scope is defined as the
ances or appetite, including materiality thresholds. organization as a whole or just specific components
of the organization, high level risks (e.g., competitor objectives will be achieved. (Examples of risk ratings are
actions), or risk categories (e.g., credit risk). presented in Appendix A.)
• Control components covered by the audit; that is, the
specific financial, operational, or compliance con-
trols being addressed (e.g., specifically stating that
5. Use of Grades in Expressing
the opinion relates to design processes, performance an Opinion
objectives, documentation requirements, financial re-
It is common for internal audit activities to use a grading
sults, etc.). system when issuing audit reports.
• The point of time or the time period over which the
opinion is expressed. When using a grading system to communicate a positive
assurance opinion, care must be taken with wording, par-
ticularly around defining “waterlines” such as adequate or
4.1 Evaluation of Results inadequate. Wording should be clear and appropriately
An important step in the planning process is the estab- defined for the reader. Using general terms such as sat-
lishment of a methodology that will be followed to evalu- isfactory, effective, or unsatisfactory may not sufficiently
ate the results of audit work completed. This may involve define the meaning. The organization needs to have a
assessing and rating individual audit findings and their clear, common understanding of these terms and what
significance relative to the individual project, individual constitutes an acceptable level of performance, all of
risks/risk categories, or the organization as a whole. which require a frame of reference. For example, the term
effective usually refers to controls being effective both in
The following elements should be considered: design and in operation. The opinion needs to indicate
whether both meanings are included.
Materiality – The magnitude or significance of a key
business objective that is fundamental to the opinion is Clarity of communication is improved if the organization
important. The internal auditor should consider the mag- has adopted a broadly understood definition of internal
nitude of the residual risk that a business objective will controls, such as in the COSO model. In preparing the
not be achieved. report, the CAE ensures that any technical terms (e.g.,
material weakness) are clearly defined for the reader. De-
Impact – The implication of audit issues/findings are veloping a guideline such as those included in the Ap-
considered and fully understood in the context of the pendices will eliminate some of the subjectivity and help
opinion to be given (i.e., micro versus macro). An audit avoid confusion.
opinion may be given a different level of importance using
Use of a grading scale generally requires a well-defined
the same rating criteria depending on the impact to the
evaluation structure. For example, an opinion that merely
organization. For example, some issues may have a materi-
states that internal controls meet minimum defined cri-
al impact on the achievement of goals or mitigation of risks teria would not require as much evidence as an opinion
at a micro level, but not at a macro level (e.g., the failure to that stated how much better or worse internal controls are
manage potential duplicate payments may be material to a than a defined benchmark.
subsidiary but not to the organization as a whole).
Increased precision in the information provided in
Another factor to be considered when rating the adequacy an opinion normally increases the amount of evidence
of controls in a macro opinion is rating the level of risks needed to support the opinion. Providing a grade as
provided by the controls in place so that management’s part of a positive assurance opinion may provide useful
information to the reader, but sufficient evidence is need- • Whether the opinion can be delayed until additional
ed to support that finer level of detail given in the opinion. evidence is obtained.
The rating scale clarifies whether the opinion is in relation
• The criteria for the opinion and a clear understand-
to the organization as a whole or on the subject of the au-
ing of what the organization considers satisfactory
dit (specific audit assignment).
performance.
It is also important to consider consistency and sustain- • The organization’s risk appetite.
ability of the grading or rating system across audit years. • The purpose for which the opinion will be used.
Grading or rating systems that change too frequently
|can be confusing to the stakeholders and may impact • Whether the informal opinion will be positive or
the comparability and clarity of reporting across the negative in nature.
organization. • Whether the opinion will be limited and put in the
context of what supporting evidence has and has not
5.1 Use of Negative (Limited) Assurance been obtained (e.g., “This opinion is based on the sev-
Opinions and “Informal” Opinions en audits completed this year. We have not completed
A “negative assurance,” sometimes referred to as “limited audits of the XYZ subsidiary, and our opinion does not
assurance,” opinion is a statement that nothing came to extend to it”).
the auditor’s attention about a particular objective, such
as the effectiveness of a system of internal control, ad- In essence the factors considered are the same as those
equacy of a risk management process, or on any other spe- that would be considered in expressing a written opinion.
cific matter. The internal auditor takes no responsibility
for the sufficiency of the audit scope and procedures to It will be important to recognize instances where the most
find all significant concerns or issues. Such an opinion appropriate response is an indication that further work
is generally considered less valuable than positive assur- would be needed to express an opinion on the area sub-
ance and therefore auditors consider their value before ject to discussion.
rendering them.
In some instances, it may be necessary for internal audit-
Occasionally, internal auditing may be asked for an “infor- ing to decline to issue a verbal opinion, especially when
mal” or verbal opinion on the adequacy of governance, risk there is a lack of sufficient evidence or work to support
management, or control policies and processes, either at the opinion.
the macro or micro level. Where possible, the expression
of such an opinion should not be subjective in nature, but 5.2 Reliance on the Work of Others When
should be based on objective evidence (as discussed previ- Supporting an Opinion
ously). However, where stakeholders would accept a more In many organizations, there are a range of functions or
subjective opinion, the fact that the opinion is subjective people who provide management and the board with as-
should be clearly disclosed with any verbal commentary. surance on specific aspects of the organization’s opera-
tions, commonly referred to as “other assurance providers”
When expressing an informal opinion, the CAE considers (OAPs).
a number of factors:
If the CAE intends to rely on this work for purposes
• The sufficiency of audit work (including the work of
of expressing his or her own opinion, appropriate steps
others and informal evidence) to support the opinion
should be taken, including assessing the competency,
requested.
independence, and objectivity of the OAPs. The CAE: 5.4 Other Legal Considerations
• Determines that the OAP possesses the knowledge, The use of opinions can result in increased reliance on
skills, and other competencies necessary for the work internal audit reports. This is a desirable outcome as it
to be relied upon. increases the value and clarity on the level of assurance
given in an audit report. However, increased reliance can
• Assesses the organizational relationships of the OAP
also result in legal and other ramifications if someone
to determine that there are no relationships that will
relies on the audit report and a control failure emerges
prevent the OAP from rendering impartial and unbi-
after the report is issued. In addition, the CAE’s own per-
ased judgments and opinions in the performance of
sonal certification credentials can have legal ramifications
their assurance activities.
if noncompliance issues should arise. In managing these
• Obtains sufficient information regarding the objec- ramifications, the CAE is encouraged to use appropriate
tives and scope of the OAP’s work to confirm that they language in the report and any disclaimer that puts the
meet auditing’s specific requirements. A common reader on notice of any limitations to the level of assur-
best practice is to establish frequent communication ance given. When signing a report opinion as a chartered
meetings where the CAE has visibility of the planned accountant, certified public accountant, certified internal
activities, results of work, and OAP reports (or other auditor, or other similarly credentialed professional, the
similar communications). CAE should alert readers that it is not possible to pro-
• Evaluate the risks of using the work of OAPs, particu- vide absolute assurance and encourage them to consider
larly related to the level of assurance and confidence all legal implications. By being clear on these matters and
related to opinions. documenting them to the users of reports, the CAE is able
to manage expectations and limit unnecessary legal risk.
Once the CAE determines he or she will rely on the work
of others, that fact should be included in discussions with
key stakeholders and, if significant, the board. It is im-
portant that all parties understand how the work of OAPs
may impact macro or micro audit opinions, including the
degree of confidence to be placed in such opinions.
5.3 Guidance From Regulators and Other

Standard Setters
To the extent practicable, this guidance aims to harmonize
with other global regulators and is not intended to conflict
with known laws and regulations from other regulatory
bodies and standard setters. Internal auditors are not to
overlook their responsibilities to comply with local laws
and regulations. However, where such regulations or laws
do not exist or may conflict, this guidance can be useful
for providing audit opinions to all practitioners who aim to
comply with this guidance to the extent practicable.
Appendix A: • Substantial losses, possibly in conjunction with other

weaknesses in the control framework or the organiza-
Examples: Risk Ratings or tional entity or process being audited.
Rankings • Serious violation of corporate strategies, policies, or

values.
The following are examples of systems that may be ap- • Serious reputation damage, such as negative publicity
plied to rate or rank risks. For all of these, it is important in national or international media.
to clarify context (i.e., rating relative to the organization
• Significant adverse regulatory impact, such as loss of
as a whole versus the subject of the audit). These risk rat-
operating licenses or material fines.
ings/rankings may also be applicable to certain micro-level
opinions. Medium Risk – As this is a medium-priority issue, timely
management attention is warranted. This is an internal
Company A: Risk Rating Opinion control or risk management issue that could lead to:
Very High – The residual risk after consideration of the
adequacy and/or effectiveness of controls/risk mitigators • Financial losses (stipulate levels).
remains very high according to the organization’s (or divi-
• Loss of controls within the organizational entity or
sion’s or entity’s) risk assessment matrix (risk rating crite-
process being audited.
ria). This is above the acceptable tolerance level.
• Reputation damage, such as negative publicity in lo-
High – The residual risk after consideration of the ad- cal or regional media.
equacy and/or effectiveness of controls/risk mitigators re- • Adverse regulatory impact, such as public sanctions
main high according to the organization’s (or division’s or or immaterial fines.
entity’s) risk assessment matrix. This is above the accept-
able tolerance level. Low Risk – As this is a low priority issue, routine man-
agement attention is warranted. This is an internal con-
Medium – The residual risk after consideration of the trol or risk management issue, the solution to which may
adequacy and/or effectiveness of controls/risk mitigators lead to improvement in the quality and/or efficiency of
is medium according to the organization’s (or division’s or the organizational entity or process being audited. Risks
entity’s) risk assessment matrix and thus is within the or- are limited.
ganization’s risk tolerance.
Company C:- Priority Risk Ranking of a
Low Risk – The residual risk after consideration of the Deficiency (Micro Level)
adequacy and/or effectiveness of controls/risk mitigators Any one or more criteria noted below will result in a prior-
is low and thus is within the organization’s risk tolerance. ity ranking providing mitigating controls are not in place:
(Note: Two or more priority ranking observations can re-
Company B: Deficiency Risk Rating in sult in an “unsatisfactory” audit opinion.)
Relation to Audit Findings (Micro Level)
High Priority Risk – As this is a high priority issue, im- • There is a potential financial statement or financial
mediate management attention is required. This is a seri- disclosure misstatement requiring an after-tax adjust-
ous internal control or risk management issue that if not ment to the financial statements or related disclosures
mitigated, may, with a high degree of certainty, lead to: greater than or equal to $XX million.
• Controls are not operating as intended and it is esti-

mated that there could be an operational effectiveness
and efficiency opportunity having a potential economic
impact greater than 0.5 percent of total net income or
greater than 1 percent of a group classification of bal-
ance sheet accounts such as fixed assets, current as-
sets, current liabilities, etc., or have a material adverse
effect on the company’s reputation.
• A key control is not functioning as intended as sup-
ported by the auditors’ test exception results in excess
of XX percent (using a sufficient representative sample
size), and no mitigating controls exist (or a lower test
exception rate if exposure is significant).
• Critical information systems (as defined) are signifi-
cantly compromised due to ineffective controls over
logical/application security, data protection (including
customer/employee information), and a lack of system
edit checks and limited mitigating controls.
• Priority control weaknesses identified in a previous in-
ternal audit remain unresolved without a reasonable
cause for delay.
• Audit findings have identified ineffective controls that
have led to an internal or external fraud (as defined
being perpetrated (i.e., proven) or there is a high likeli-
hood that a potential (i.e., credible) fraud could exist
that is greater than $XX.
Appendix B: Company D: 3 Tier Grading

Inadequate System of Internal Control - Findings
Examples: Micro and Macro indicate significant control weaknesses and the need
Audit Opinion (Grading) for urgent remedial action. Where corrective action has
not yet started, the current remedial action is not, at the
The following are grading examples that may be applied in time of the audit, sufficient or sufficiently progressing to
relation to audit opinions. For all of these, it is important address the severity of the control weaknesses identified.
to clarify context; that is, opinion relative to the organiza-
tion as a whole (macro) versus an individual audit review Adequate System of Internal Control Subject to
of a particular subject or process (micro). It will be im- Reservations – A number of findings, some of which
portant to have a risk ranking process and methodology in are significant, have been raised. Where action is in
place, similar to those in Appendix A, when formulating progress to address these findings and other issues
these opinions. known to management, these actions will be at too early
a stage to allow a satisfactory audit opinion to be given.
Satisfactory System of Internal Control -

Findings indicate that on the whole, controls are satis-
factory, although some enhancements may have been
recommended.
Company E:- 4 Tier Grading
Controls evaluated are adequate, appropriate, and effective to provide reasonable assurance that risks
Effective
are being managed and objectives should be met.
A few specific control weaknesses were noted; generally however, controls evaluated are adequate,
Some Improvement Needed appropriate, and effective to provide reasonable assurance that risks are being managed and objec-
tives should be met.
Numerous specific control weaknesses were noted. Controls evaluated are unlikely to provide reason-
Major Improvement Needed
able assurance that risks are being managed and objectives should be met.
Controls evaluated are not adequate, appropriate, or effective to provide reasonable assurance that
Unsatisfactory
risks are being managed and objectives should be met.
Company E:- 5 Tier Grading With Scale
Evaluation and Grading Matrix

Material Opportunities for
Well-Controlled Satisfactory – High Satisfactory — Low
Scope of Work Determinants Improvement
(A) (B) (C)
(F)
Operating Effectiveness and Serious Problems but

Effective Adequate Disclosure
Efficiency Not Material
Reliability of Financial Serious Problems but

Reporting Not Material
Compliance With Applicable Serious Problems but

Laws and Regulations Not Material
Serious Problems but

Safeguarding of Assets Effective Adequate Disclosure
Not Material
Appendix C: agreed with management (define who) before the conduct

of detailed audit procedures.
Macro-level Opinion (Example)
We concluded that (insert a positive opinion/grade for
Note: It is necessary to have a methodology and process in each objective). Our overall opinion on XXX is satisfactory
place to evaluate the cumulative results of audit assignments or unsatisfactory (base the overall opinion of the entity
and audit findings to express such an opinion. through evaluation of specific audit objective opinions).
In my professional judgment as (title), sufficient and

appropriate audit procedures have been conducted and
To: Chair, Audit Committee evidence gathered to support the accuracy of the conclu-
sions reached and contained in this report. The conclu-
From: Head of Internal Audit sions were based on a comparison of the situations as they
existed at the time against the audit criteria. The conclu-
Subject: Internal Audit of (subject matter or other entity) sions are only applicable for the entity examined. The evi-
for the period ended ___ dence gathered meets professional audit standards and is
sufficient to provide senior management with proof of the
conclusions derived from the internal audit.
We have completed the internal audit plan of (state the

subject matter or other entity). The objective(s) of this en-
gagement was (were) to (list the broad audit objective(s)).
The plan was prepared considering (state primary drivers

used to develop the plan). The internal audit was con-
ducted in accordance with the International Standards for
the Professional Practice of Internal Auditing.
The internal audit examined (describe what has been ex-

amined; e.g., the management control framework, the risk
assessment strategy, policies and practices, information
used for decision making, reporting as applicable to the
entity examined, etc.).
The scope of the audit included (scope inclusions).

Furthermore, the examination covered activities that have
occurred during the period (period covered by the exami-
nation).
The criteria used to assess the entity were (describe the

criteria and their source). The criteria were discussed and
Appendix D: Practice Advisory 1210.A1-1 – Obtaining External

Service Providers to Support or Complement the Internal
Related IPPF Guidance Audit Activity. It also embodies concepts from the follow-
ing AICPA’s Auditing Standards: SAS 65 - The Auditor’s
Related IPPF mandatory guidance includes: Consideration of the Internal Audit Function in an Audit
2010 – Planning: “The CAE must establish risk-based of Financial Statements and SAS 73 - Using the Work of
plans to determine the priorities of the internal audit ac- Others
tivity, consistent with the organization’s goals.”
Practice Advisory 1210.A1-1: Obtaining External Ser-
2410.A1 – Criteria for Communicating: “Final com- vice Providers to Support or Complement the Internal
munication of engagement results must (where appropri- Audit Activity
ate) contain the internal auditor’s overall opinion and/or
conclusion.” 1. Each member of the internal audit activity need not be
qualified in all disciplines. The internal audit activity
2120 – Risk Management: “The internal audit activity may use external service providers or internal resourc-
should monitor and evaluate the effectiveness of the orga- es that are qualified in disciplines such as accounting,
nization’s risk management system.” auditing, economics, finance, statistics, information
technology, engineering, taxation, law, environmental
2120. A1 – The internal audit activity must evaluate risk affairs, and other areas as needed to meet the internal
exposures relating to the organization’s governance, opera- audit activity’s responsibilities.
tions, and information systems regarding the: 2. An external service provider is a person or firm, inde-
• Reliability and integrity of financial and operational pendent of the organization, who has special knowl-
information. edge, skill, and experience in a particular discipline. Ex-
ternal service providers include actuaries, accountants,
• Effectiveness and efficiency of operations.
appraisers, culture or language experts, environmental
• Safeguarding of assets; and specialists, fraud investigators, lawyers, engineers, ge-
• Compliance with laws, regulations, and contracts. ologists, security specialists, statisticians, information
technology specialists, the organization’s external audi-
2130. A1 – The internal audit activity must evaluate the tors, and other audit organizations. An external service
adequacy and effectiveness of controls in responding to provider may be engaged by the board, senior manage-
risks within the organization’s governance, operations, and ment, or the chief audit executive (CAE).
information systems regarding the: 3. External service providers may be used by the
• Reliability and integrity of financial and operational internal audit activity in connection with, among other
information; things:
• Effectiveness and efficiency of operations; • Achievement of the objectives in the engagement
• Safeguarding of assets; and work schedule.
• Compliance with laws, regulations, and contracts. • Audit activities where a specialized skill and knowl-
edge are needed such as information technology,
Related IPPF strongly recommended guidance includes: statistics, taxes, or language translations.
• Valuations of assets such as land and buildings, works • Membership of the external service provider in an ap-
of art, precious gems, investments, and complex fi- propriate professional organization and adherence to
nancial instruments. that organization’s code of ethics.
• Determination of quantities or physical condition of • The reputation of the external service provider. This
certain assets such as mineral and petroleum reserves. may include contacting others familiar with the exter-
• Measuring the work completed and to be completed nal service provider’s work.
on contracts in progress. • The external service provider’s experience in the type
• Fraud and security investigations. of work being considered.
• Determination of amounts, by using specialized • The extent of education and training received by the
methods such as actuarial determinations of employ- external service provider in disciplines that pertain to
ee benefit obligations. the particular engagement.
• Interpretation of legal, technical, and regulatory re- • The external service provider’s knowledge and
quirements. experience in the industry in which the organization
operates.
• Evaluation of the internal audit activity’s quality as-
surance and improvement program in conformance 6. The CAE needs to assess the relationship of the ex-
with the Standards. ternal service provider to the organization and to the
• Mergers and acquisitions. internal audit activity to ensure that independence and
objectivity are maintained throughout the engagement.
• Consulting on risk management and other matters. In performing the assessment, the CAE verifies that
4. When the CAE intends to use and rely on the work of there are no financial, organizational, or personal re-
an external service provider, the CAE needs to consider lationships that will prevent the external service pro-
the competence, independence, and objectivity of the vider from rendering impartial and unbiased judgments
external service provider as it relates to the particular and opinions when performing or reporting on the
assignment to be performed. The assessment of com- engagement.
petency, independence, and objectivity is also needed
7. The CAE assesses the independence and objectivity of
when the external service provider is selected by senior
management or the board, and the CAE intends to use the external service provider by considering:
and rely on the external service provider’s work. When • The financial interest the external service provider
the selection is made by others and the CAE’s assess- may have in the organization.
ment determines that he or she should not use and rely
• The personal or professional affiliation the external
on the work of the external service provider, communi-
cation of such results is needed to senior management service provider may have to the board, senior man-
or the board, as appropriate. agement, or others within the organization.
5. The CAE determines that the external service pro- • The relationship the external service provider may
vider possesses the necessary knowledge, skills, and have had with the organization or the activities being
other competencies to perform the engagement by reviewed.
considering: • The extent of other ongoing services the external ser-
• Professional certification, license, or other recogni- vice provider may be performing for the organization.
tion of the external service provider’s competence in • Compensation or other incentives that the external
the relevant discipline. service provider may have.
8. If the external service provider is also the organization’s In reviewing the work of an external service provider, the
external auditor and the nature of the engagement is CAE evaluates the adequacy of work performed, which
extended audit services, the CAE needs to ascertain includes sufficiency of information obtained to afford a
that work performed does not impair the external au- reasonable basis for the conclusions reached and the reso-
ditor’s independence. Extended audit services refer to lution of exceptions or other unusual matters.
those services beyond the requirements of audit stan-
dards generally accepted by external auditors. If the When the CAE issues engagement communications, and
organization’s external auditors act or appear to act an external service provider was used, the CAE may, as
as members of senior management, management, or appropriate, refer to such services provided. The external
as employees of the organization, then their indepen- service provider needs to be informed and, if appropriate,
dence is impaired. Additionally, external auditors may concurrence should be obtained before making such ref-
provide the organization with other services such as tax erence in engagement communication.
and consulting. Independence needs to be assessed in
relation to the full range of services provided to the or-
ganization.
9. To ascertain that the scope of work is adequate for the
purposes of the internal audit activity, the CAE obtains
sufficient information regarding the scope of the exter-
nal service provider’s work. It may be prudent to docu-
ment these and other matters in an engagement letter
or contract. To accomplish this, the CAE reviews the
following with the external service provider:
• Objectives and scope of work including deliverables
and time frames.
• Specific matters expected to be covered in the en-
gagement communications.
• Access to relevant records, personnel, and physical
properties.
• Information regarding assumptions and procedures to
be employed.
• Ownership and custody of engagement working pa-
pers, if applicable.
• Confidentiality and restrictions on information ob-
tained during the engagement.
• Where applicable, conformance with the Standards
and the internal audit activity’s standards for working
practices.

Gilbert T. Radford, CIA
Bruce C. Sloan
Debbie E. H. Loxton
Norman D. Marks
Trygve Sorlie, CIA, CCSA
cant issue. Position Papers are part of The IIA’s

247 Maitland Ave. F: +1-407-937-1101
Independence
and Objectivity
october 2011
Table of Contents
Executive Summary........................................................................................ 1
Introduction................................................................................................... 2
Guidance on Independence and Objectivity.................................................... 3
Relationship of Independence and Objectivity................................................ 3
Independence................................................................................................. 4
Objectivity...................................................................................................... 7
Considerations for Assurance and Consulting Engagements........................ 10
Considerations for Rotational Audit Assignments......................................... 11
Frameworks for Evaluating Independence and Objectivity............................ 12
Author, Contributors and Reviewers............................................................. 18
Appendix ..................................................................................................... 19
Executive Summary designed to add value and improve an organization’s op-

erations.” Objectivity is also one of the four key principles
of The IIA’s Code of Ethics (Code), which defines the
The importance of independence and objectivity, which
rules of conduct that support these principles. The Code
has always been significant for internal auditors, con-
applies both to organizations and individuals that perform
tinues to increase among the challenges facing internal
internal audit services. Standards 1100 – Independence
audit activities in the constantly changing business envi-
and Objectivity; 1110 – Organizational Independence;
ronment. An ever-growing number of stakeholders, both
1120 – Individual Objectivity; and 1130 – Impairment to
inside and outside an organization, continue to demand
Independence or Objectivity outline the specific require-
greater transparency, increased disclosures, expanded in-
ments for the internal audit activity and internal audit pro-
ternal audit services, increased professionalism, improved
fessionals. All internal audit practitioners should periodi-
coordination among internal and external auditors, greater
cally refresh their understanding of this guidance.
responsibilities, and more accountability from internal au-
dit professionals. This practice guide was developed to ad-
This practice guide highlights the IPPF International
dress these changes and increased expectations.
Standards for the Professional Practice of Internal Audit-
ing (Standards) related to independence and objectivity,
There are many assurance providers within the organiza-
as well as The IIA’s supporting practice advisories. This
tion, such as frontline managers and executives, quality
guide also acknowledges the confusion that is often pres-
assurance staff, health and safety staff, compliance and
ent when people use the terms independence and objec-
risk management staff. Internal audit is distinguished
tivity interchangeably. While independence and objectiv-
from many other internal assurance providers by virtue of
ity are related, they are distinctly different attributes and
a requirement to comply with professional standards and
require specific actions and safeguards to ensure auditors
a code of ethics that demand independence and objectiv-
are both independent and objective.
ity. Further, objectivity is a key determinant for whether
external auditors can place reliance on work performed by
This guide also highlights activities supporting both in-
internal audit. As specified in The International Standard
dependence and objectivity and discusses various factors
on Auditing (ISA) 610 – Using the Work of Internal Audi-
that can affect an auditor’s independence and objectivity.
tors, issued by The International Auditing and Assurance
Combinations of threats, unresolved threats, and consid-
Standards Board (IAASB) of the International Federation
erations for both assurance and consulting services also
of Accountants (IFAC), to determine potential areas of
are discussed.
reliance, first and foremost, the external auditors have to
evaluate the internal audit activity’s degree of objectivity, its
Frameworks for evaluating and managing independence
level of competence, and the extent to which judgment is
and objectivity are presented as models that internal au-
involved in planning, performing, and evaluating that work.
ditors can use to help ensure that independence and ob-
jectivity are promoted and fostered in their own organiza-
Independence and objectivity are integral parts of the
tions.
mandatory guidance of The Institute of Internal Audi-
tors’ (IIA) International Professional Practices Framework
Key sections that provide further information relating to
(IPPF). The use of these terms starts with the definition of
considerations about independence and objectivity in-
internal auditing, which states that “Internal auditing is an
clude:
independent, objective assurance and consulting activity
• Definitions of independence and objectivity, as well es and otherwise changing the internal audit model. This,
as related guidance included in the IPPF. in turn, creates additional challenges in managing both
• Factors impacting independence, such as the orga- independence and objectivity.
nizational reporting relationship of the internal audit
activity, access to information, control over the scope Management employs internal auditors, yet these same
of internal audit activities and content of audit com- internal auditors review the performance of management
munications, and the oversight and involvement of and other activities within the organization. In addition,
governing bodies. management often relies on internal auditors for consult-
ing services and incorporates audit recommendations into
• Activities supporting independence, such as organi-
the reengineering of business processes. In their role as
zational placement, strong governance environment,
assurance providers, auditors evaluate management’s
hiring practices (including outsourcing, as neces-
processes. The combination of the internal auditor as an
sary), and a strong audit charter.
employee of the organization, the increasing importance
• Factors threatening objectivity, such as social pres- of internal audit activities, and the growing demand for
sure, economic interests, personal relationships, internal audit consulting activities lead to escalating con-
familiarity, cultural and other biases, self-review, and cern about internal auditor independence and objectivity.
intimidation and advocacy threats. As internal auditors expand their role in governance and
• Managing threats to objectivity through the use of risk management activities, additional challenges are pre-
incentives, teams, rotational assignments, training, sented for managing independence and objectivity. The
supervision and review, quality assessments, hiring IIA’s Position Paper on the Role of Internal Auditing in
practices, and outsourcing. Enterprisewide Risk Management provides an excellent
example of the expanded roles for internal audit as well
• Unresolved challenges to objectivity and consider-
as safeguards needed to address any threats to internal
ations for assurance and consulting engagements.
audit’s independence and objectivity.
• A process for managing threats to independence and
objectivity and frameworks for evaluating indepen- As both private and public organizations around the world
dence and objectivity at the individual, engagement, grow in size and influence, society is demanding greater
activity, organization, and professional levels. accountability. This drive for accountability has led to an
increased focus on audit activities as a cornerstone of
governance systems and, in some parts of the world, has
Introduction resulted in calls for mandating an internal audit activity.
The purpose of this practice guide is to:

In the midst of a global drive to improve corporate gov-
ernance, internal auditors face many challenges and op-
• Highlight IIA guidance on independence and objec-
portunities, including increasingly complex and perva-
tivity.
sive use of technology, a need for new and ever-changing
skills, flattening organizational structures, demand for an • Discuss potentially confusing aspects encompassing
expanding scope of services, and increasing competition independence and objectivity.
and globalization. Internal auditors are developing new • Identify activities that support independence and
strategies to meet these challenges, and are becoming objectivity.
more proactive by providing a broadened variety of servic-
• Identify various considerations and potential chal- Examples of functional reporting to the board involve the
lenges related to independence and objectivity. board:
• Provide frameworks for managing independence and • Approving the internal audit charter;
objectivity. • Approving the risk-based internal audit plan;
• Receiving communications from the chief audit execu-
tive on the internal audit activity’s performance relative
Guidance on Independence to its plan and other matters;
and Objectivity • Approving decisions regarding the appointment and

removal of the chief audit executive; and
The IIA’s IPPF provides guidance for independence and • Making appropriate inquiries of management and the
objectivity in several standards, practice advisories, and chief audit executive to determine whether there are
position papers. The following standards, which include inappropriate scope or resource limitations.
a paraphrased interpretation, address independence and
objectivity. 1120 – Individual Objectivity (Standard)
Internal auditors must have an impartial, unbiased atti-
1100 – Independence and Objectivity (Standard)
tude and avoid any conflict of interest.
The internal audit activity must be independent, and in-
ternal auditors must be objective in performing their work. 1130 – Impairment to Independence or Objectivity
(Standard)
Interpretation: If independence or objectivity is impaired in fact or ap-
“Independence is the freedom from conditions that threaten pearance, the details of the impairment must be disclosed
the ability of the internal audit activity to carry out internal to appropriate parties. The nature of the disclosure will
audit responsibilities in an unbiased manner. . . . Objectivity depend upon the impairment.
is an unbiased mental attitude that allows internal auditors
to perform engagements in such a manner that they believe The various standards and practice advisories related to
in their work product and that no quality compromises are independence and objectivity are reproduced in detail in
made. . .” the appendix of this practice guide.
1110 – Organizational Independence (Standard)

The chief audit executive must report to a level within
the organization that allows the internal audit activity to
fulfill its responsibilities. The chief audit executive must
Relationship of Independence
confirm to the board, at least annually, the organizational and Objectivity
independence of the internal audit activity.
In practice, there is often confusion about independence
and objectivity, and many people use these terms inter-
Interpretation:
changeably. Independence and objectivity are not the
Organizational independence is effectively achieved when same thing. Someone can be independent but not objec-
the chief audit executive reports functionally to the board. tive, and conversely, someone can be objective but not in-
dependent. It is important to understand the difference this confusion. While these terms are certainly related,
between the two and realize how threats and safeguards they are extremely different concepts. In practice, the in-
affect each. dependence concept is usually expressed in factual mat-
ters, such as the organizational placement of the internal
It is easier to measure or gauge independence and imple- audit activity, reporting relationships to the board, an au-
ment safeguards to ensure it than to ensure objectivity. dit committee or other governing body separate from man-
Safeguards such as reporting relationships, segregation agement, and authorities to access information, people,
of duties, restrictions on responsibilities, remuneration and records. Objectivity relates more to a state of mind,
structure, and actions or requirements that avoid conflicts the individual auditor’s judgment, biases, relationships,
of interest can help improve independence. and behaviors.
Objectivity, however, is something for which an individual

auditor retains ultimate accountability and control. For
example, statistical sampling techniques can be used to
pull an unbiased sample for testing, but it is still up to
Independence
the individual auditor to exercise professionalism and due Factors Impacting Independence
care in applying the test attributes or procedures and in-
The specific role of internal audit activities varies from or-
terpret the results in an unbiased manner. Supervisory re-
ganization to organization based on factors such as organi-
view of the test work is a safeguard to help ensure that test
zational size, type of operations, capital structure, and the
results and conclusions are objective.
legal and regulatory environment. In some organizations,
the work of internal auditors is confined to special assur-
The IPPF Standards Glossary provides the following defi-
ance and consulting projects for management. In these
nitions for independence and objectivity (as revised Jan.1,
situations, management is the only user of the internal
2011):
audit work and the only party that derives direct benefit
from that work. In other organizations, the internal au-
Independence: The freedom from conditions that threat-
dit activity provides assurance and consulting services to
en the ability of the internal audit activity to carry out in-
various groups inside and outside the organization, such
ternal audit responsibilities in an unbiased manner.
as governing bodies (e.g., boards of directors), regulators,
external auditors, customers, and suppliers.
Objectivity: An unbiased mental attitude that allows in-
ternal auditors to perform engagements in such a manner
The particular role of the internal audit activity in an
that they believe in their work product and that no quality
organization determines the appropriate structure of re-
compromises are made. Objectivity requires that internal
sponsibilities and reporting level as well as the degree of
auditors do not subordinate their judgment on audit mat-
reliance that should be placed on the assurance and con-
ters to others.
sulting services provided. An internal audit activity with a
broad assurance and consulting role ideally should report
As previously noted, many auditors have struggled with
directly to the governing board of the organization and,
these concepts, often using the terms interchangeably
more specifically, to the audit committee of the board or
and incorrectly. This confusion was compounded by us-
other similar body.
ing one term to define the other. The newly revised Stan-
dards Glossary definitions should help alleviate some of
The organizational placement and status of the internal If the internal audit activity does not have sufficient orga-
audit activity poses a practical constraint or a limit on the nizational status and autonomy, the ability to effectively
scope of internal audit services that can be appropriately manage the independence of its work and reports is sub-
undertaken by internal auditors. For example, if the in- ject to question. For example, the risk that independence
ternal audit activity resides in the controller’s department will be compromised may be high in situations in which
with the chief audit executive (CAE) reporting directly to the CAE may be fired by top management without consul-
the controller, it is difficult — if not impossible — for the tation with the organization’s governing body. The risk also
internal auditor to objectively evaluate the performance of may be high in situations in which the scope of audit ac-
peer offices under the chief financial officer. In general, tivities or the activity’s budget is determined by top man-
the higher the reporting level, the greater the potential agement without consultation with the governing body.
scope of engagements that can be undertaken by the in- In these situations, there is a risk that management may
ternal audit activity while remaining independent of the inappropriately affect the scope of the audit work, impose
audited entity. bias, or suppress audit findings. When the risk that appro-
priate and adequate independence will not be achieved
The ability to achieve appropriate and adequate internal is significant, it is difficult to determine how much assur-
audit activity independence depends critically on the ap- ance may be derived from the audit work.
propriate placement or organizational status of the activ-
ity within the organization. The organizational status of In evaluating the appropriate organizational status of the
the internal audit activity should be sufficient to allow it internal audit activity, consideration also should be given
to accomplish its activities as defined by its role within to other constituents who derive benefit from the assur-
the organization. In this regard, the internal audit activity ance and consulting work. For example, external auditors
must be positioned to obtain cooperation from the entity may have greater confidence in internal controls because
being audited and free access to required information. they know an effective internal audit activity reviews the
Noting such access in audit department and audit com- system. Similarly, the governing body of an organization
mittee charters is always a good practice. Including CAEs may obtain assurance on overall control from the fact that
as part of senior or executive management and as partici- the internal audit activity performs risk assessments to
pants in critical meetings helps demonstrate strong and determine the appropriate areas to audit. The knowledge
supportive top management commitment to the internal that risk assessment and monitoring are being performed
audit activity. In addition, reports of audit findings must may provide implicit assurance in areas beyond those ex-
not be subject to potential interference and suppression plicitly examined and reported on by internal auditors.
by management.
Internal auditors are being asked more frequently to pro-
The internal audit activity should be organized to afford vide assurance to parties outside the organization. For
a higher organizational status as its role expands and as example, regulatory agencies often require copies of in-
more parties inside and outside the organization derive ternal audit reports. Some regulations even require estab-
assurance from its work. For example, to provide assur- lishment of an internal audit function. In addition, cus-
ance to the governing body of the organization, such as tomers and suppliers are beginning to request assurances
the board of directors or similar bodies, the CAE should about such matters as the organization’s controls over the
have direct and unrestricted access to that body. This al- confidentiality of shared information, particularly in elec-
lows the activity to be insulated from possible threats to tronic commerce cases. Providing credible assurance to
independence. these outside parties requires the highest degree of orga-
nizational status and autonomy on the part of the internal These factors are not intended to be all-inclusive, and
audit activity. should be considered in relation to the parties that expect
to derive assurance from the internal auditors’ activities.
The organizational status of the internal audit activity cor- When internal audit has sufficient organizational status
relates with the scope of engagements that can be un- and autonomy, parties both inside and outside the orga-
dertaken. When there is high-level reporting, the scope nization can have increased confidence in internal audit’s
of potential engagements is less limiting; when there is ability to manage threats to independence with respect to
lower-level reporting, the reporting universe (i.e., the pop- the work that it performs. Therefore, the CAE is free from
ulation of users who could benefit from the audit work) significant threats that may affect any individual auditor’s
becomes more limited. ability to make independent decisions regarding audit en-
gagements and reports.
In organizations where assurance is derived by parties oth-
er than management, the organization’s governing body Activities Supporting Independence
should review the autonomy of the internal audit activity The following list is not intended to be exhaustive. Rather,
to ensure its adequacy. If internal audit activities provide it is intended to illustrate the range of mitigating factors
assurance to customers, clients, external auditors, regula- and safeguards that may reduce or eliminate threats to
tors, or other parties outside the organization, such assur- independence.
ance activities should be endorsed by the appropriate gov-
erning body. In addition, the autonomy and organizational Organizational Position and Policies
status of the activity should be reviewed for compliance
with any existing legal or regulatory requirements. The auditor and/or audit activity’s organizational position,
internal audit charter, and policy statements at various
In reviewing and evaluating the organizational status of levels addressing auditor/audit client relations may bolster
the internal audit activity, the governing body should con- the auditor’s position in the organization and create bar-
sider factors that increase and improve independence, riers for audit clients to influence or intimidate auditors.
such as: Other documents that could be used to promote inter-
nal audit’s status in the organization are the organization’s
• The reporting level of the CAE within the organiza- code of ethics, the audit activity’s mission statement, au-
tion. dit reports and other official communications from the
audit activity, an audit website, and the audit committee
• The CAE’s unrestricted access to information
charter.
throughout the organization and the governing board.
• The governing board’s involvement in decisions to Environment — Strong Organizational
hire or remove the CAE and in drafting and approv- Governance System
ing an internal audit charter.
A supportive environment in the organization as a whole
• The role of the governing board in influencing the encourages auditors to audit and report without restric-
budget for, and the scope of, internal audit activities tion and fear of retaliation for negative opinions or critical
and remuneration and retention of the CAE. findings. A significant component of a supportive environ-
• The active involvement, oversight, review, and ment is the audit committee, board, or other governing
follow-up by the governing board with the internal body, which is crucial in ensuring auditor independence.
audit activity.
Audit Charter about control, compliance, and other relevant matters.

A strong governing body and internal audit charter that
Social Pressure
clearly outline internal audit’s responsibilities, authori-
ties and reporting relationship, unrestricted access to Social pressure threats may arise when an auditor is ex-
information, people, and records can help promote inde- posed to, or perceives that he or she is exposed to, pres-
pendence. Effective governing body oversight, including sures from external parties. For example, a perception
responsibilities for hiring, evaluating and compensating, that external auditors or regulators expect a certain num-
and terminating the CAE, can improve independence. ber of findings to be generated, or that management ex-
pects each engagement should produce major findings,
Hiring and Compensation Practices can put undue pressure on internal auditors. This situ-
ation also may occur when the auditor, for example, has
Hiring practices also can be a safeguard for indepen-
inadvertently or mistakenly raised issues in the past when
dence. For example, screening can ensure that potential
there were no problems. Also, pressure from audit clients
employees do not have conflicts of interests that threaten
could drive the auditor to overlook suspicious items. An-
the internal audit activity’s independence. For example,
other form of social pressure could occur when an audit
determining whether applicants own stock in the organi-
team member is reluctant to oppose a generally held view
zation, are related to people who work for or have busi-
on the part of the audit team itself or from clients who
ness relationships with the organization, or have served in
indicate that “this is the way we have always done it” (a
some official capacity previously or provided significant
phenomenon labeled as “groupthink” in behavioral litera-
services to the organization in the past. Compensation
ture).
practices also can be structured so that the auditors’ pay
is not dependent on the performance of the organization- Economic Interest
al units they review.
This threat may arise when the auditor has an economic
Outsourcing stake in the performance of the organization. An auditor
may fear that significant negative findings, such as dis-
When internal structure and mechanisms cannot be ef- covery of illegal acts, could jeopardize the entity’s future;
fectively used to manage threats to independence, out- hence, the auditor’s own interests as an employee. Or, an
sourcing to an external service provider can help promote auditor may have stock options or other financial interests
independence of internal audit activities. that may be threatened by negative audit findings. This
threat also arises when the auditor audits the work or de-
partment of an individual who may subsequently make
decisions that directly affect the auditor’s future employ-
Objectivity ment opportunities or salary.
Factors Threatening Objectivity Personal Relationship

To make unbiased performance and reporting decisions, This threat may arise when an auditor is a close friend or
internal auditors must be able to manage threats to ob- relative of the manager or an employee of the audit client.
jectivity. This ability is also an important signal to govern- The auditor may be tempted to overlook, soften, or delay
ing boards, shareholders, and external parties that inter- reporting negative audit findings to avoid embarrassing
nal audit activities can be relied on to provide assurance the friend or relative.
Familiarity those recommendations. All of these examples represent

This threat may arise because of an auditor’s long-term situations in which the auditor could conceivably become
relationship with the audit client. Familiarity may lead an less critical or observant of errors or deficiencies due to
auditor to lose objectivity during an audit by making the the difficulty of maintaining objectivity when reviewing
auditor overly sympathetic to the client. Alternatively, fa- his or her own work.
miliarity may lead an auditor to prejudge an audit client
Intimidation Threat
on the basis of previous problems (or nonproblems) and
assume a posture consistent with the prejudgment rather Intimidation threats arise when an auditor is deterred
than taking a fresh, objective look. from acting objectively by threats — actual or perceived
— or being overtly or covertly coerced by audit clients or
Cultural, Racial, and Gender Biases other interested parties.
This threat may arise from cultural, racial, or gender bi-
Advocacy Threat
ases. For example, in a multidivisional organization, a
domestically based auditor may be biased or prejudiced Advocacy threats arise from auditors acting biased in pro-
against audit clients located in certain foreign locations. moting or advocating for or against the audit client to the
Or, an auditor may be unduly critical of different practices point that subsequent objectivity may be compromised.
and customs or of an audit client managed or staffed by
employees of a particular race or gender. Managing Threats to Objectivity
The following list is not intended to be exhaustive. Rather,
Cognitive Biases it is intended to illustrate the range of mitigating factors
This threat may arise from an unconscious and uninten- that may reduce or eliminate threats to objectivity.
tional psychological bias in interpreting information de-
pending on a person’s role in a situation. For example, if Incentives (Rewards, Discipline)
someone takes a critical audit perspective, he or she may A system of rewards and disciplinary processes within
overlook positive information. Conversely, if someone both the internal audit activity and in the entire organi-
takes a positive facilitative perspective, he or she may dis- zation can reduce threats to objectivity. For example, an
count negative information. In addition, an auditor may environment that rewards critical and objective thinking
come with certain preconceived notions and tend to see or penalizes bias or prejudice can encourage objectivity
evidence confirming such notions. in the face of these types of threats. Incentive pay, addi-
tional time off, flexible work schedules, and other positive
Self-review rewards can be used to encourage and reward objective
Self-review threats may arise when an auditor reviews his thinking.
or her own work performed during a previous audit or con-
sulting engagement. For example, an auditor may audit a Likewise, penalties that impact performance reviews, de-
department repeatedly or in consecutive years, or the au- lay promotions or other advancement, or require addition-
ditor may provide consulting services in connection with a al training could be used to discourage lack of objectivity.
system implementation that he or she subsequently must Naturally, how such reward and discipline programs are
audit. Furthermore, the auditor may provide recommen- structured and managed is critical and must be conducted
dations for operational improvements and subsequently in a professional and balanced manner to be viewed as
review processes that were changed in accordance with positive and supportive.
Use of Teams Hiring Practices

Assigning another team member to an audit can diffuse Hiring practices also can improve the likelihood that per-
or eliminate potential threats to objectivity by bringing sonnel are free from biases and are able to render objec-
an additional perspective to the audit. This additional tive judgments when conducting internal audit engage-
perspective can counterbalance potential threats due to ments. For example, screening can ensure that potential
familiarity, personal relationships, self-review, or other employees do not have conflicts of interests that threaten
threats to objectivity on the part of one or more audit their objectivity. Also, determining whether applicants
team members. In addition, appropriate assignments have relatives that work for the organization, own stock
within teams can be made to maximize the mitigating ef- in the organization, have family members with business
fects of the team approach. relationships with the organization, or have served pre-
viously in some official capacity or provided significant
Rotation/Reassignment services to the organization can help ensure objectivity.
Rotating audit assignments can reduce the degree of fa-
miliarity and self-review. There are different types of ro- Outsourcing
tation, including rotating all the staff from one audit to Outsourcing internal audit activities to a third party may
another so that new staff always performs the audit; rotat- be appropriate when there are known or perceived con-
ing some of the staff; and keeping the audit staff on a re- flicts of interest that would impair the staff ’s judgment or
peated audit but rotating the work performed by the staff. create potential biases.
Training Combinations of Threats to Objectivity

Training in appropriate methods and approaches im- There could be circumstances in which several catego-
proves objectivity. Further, training also can help auditors ries of threats are present at the same time. For example,
recognize potential threats to objectivity, so that they can many internal auditors provide control self-assessment
avoid or effectively manage them in a timely fashion. services that involve working with audit client represen-
tatives and facilitating their review of risks and controls.
Supervision/Review A number of threats can arise in these circumstances,
Close supervision of auditors and careful review of their such as self-review threats if an auditor acts as a facilita-
work can encourage staff to approach audit issues objec- tor and subsequently is assigned to review the controls
tively, since they are accountable for their judgments. Re- that were the subject of the assessment exercise. Also,
search indicates that accountability is an important factor social pressure threats may arise if the facilitating audi-
in improving judgments and reducing biases in an audit. tor feels pressure to not “breach the trust” placed in the
self-assessment process by the participants who candidly
Quality Assessment reveal system weaknesses. In this context, an auditor may
be concerned that future self-assessment exercises would
Internal and external reviews of the internal audit activ-
be undermined by negative audit findings. Furthermore,
ity, its services, processes, and procedures can help en-
when an auditor takes on a facilitating role, he or she may
sure that threats to objectivity are effectively managed
become too close to some audit clients by developing
and professionalism is maintained. Ongoing monitoring
personal relationships that could make it difficult to be
and periodic reviews can help ensure that processes are
critical of those clients. Or, the auditor may develop un-
in place and that the audit staff carries out their activities
conscious cognitive biases because of the positive facilita-
in accordance with designated policies and procedures.
tive role adopted in the self-assessment process by inter- able to address unmitigated threats, and the engagement
preting information about the audit clients more positively cannot be outsourced. The guide specifies that these
than objectively and seeking confirmatory information. unresolved threats should be disclosed to the audit com-
mittee or similar independent bodies so that the auditor’s
While the auditor only may be dealing with individu- recommendations are reviewed in the appropriate con-
al threats in some cases, there will be multiple threats, text. This disclosure also may be included in the audit
mitigating factors, and management tools used to address report as appropriate. In some situations, audit committee
residual threats in many situations. Therefore, a compre- members or top management may, in fact, be the prob-
hensive and integrated approach in identifying, assessing, lem. Therefore, the best alternative may be to decline to
and managing potential threats is recommended. conduct the audit. If the problem is systemic, the internal
auditor should evaluate how the effect of remaining with
Threats to Objectivity at the Activity Level the organization will impact his or her professionalism and
Some internal auditors have suggested that certain activi- the underlying commitment to integrity.
ties, such as consulting services and control self-assess-
ment services, performed by the internal audit activity
may threaten the activity’s objectivity and result in role
conflict. For example, if an activity provides extensive Considerations for Assurance
management consulting services, threats to objectivity
may arise in the form of self-review threats and familiar- and Consulting Engagements
ity threats at the unit level. Self-review threats may arise
Assurance engagements include those services designed
when internal audit is involved in the implementation of
to provide an objective examination of evidence for the
an entitywide management information system and sub-
purpose of providing an independent assessment on gov-
sequently is engaged in reviewing the same system.
ernance, risk management, and control processes for the
organization. Examples may include financial, perfor-
Providing consulting services does not in and of itself nec-
mance, compliance, system security, and due diligence
essarily compromise objectivity, particularly if the auditor
engagements.
is involved primarily in an advisory capacity (internal audit
should not be involved in a decision making capacity) and
Consulting engagements include advisory and related cli-
there is no reason to presume that the auditor’s objectivity
ent service activities — the nature and scope of which are
is automatically compromised. A professional internal au-
agreed to by the client — and are intended to add value
ditor and internal audit activity, within the context of the
and improve an organization’s governance, risk manage-
framework described herein, should be able to recognize
ment, and control processes without the internal auditor
potential threats to objectivity in subsequent audit assign-
assuming management responsibility. Examples include
ments, consider mitigating factors, and take appropriate
counsel, advice, facilitation, and training.
action to reduce or eliminate residual threats to objectiv-
ity.
As previously noted, providing consulting services does
not in and of itself necessarily compromise objectivity,
Unresolved Threats to Objectivity particularly if the auditor is involved in an advisory ca-
There may be circumstances in which threats to objectiv- pacity and there is no reason to presume that his or her
ity remain unresolved because no mechanisms are avail- objectivity is automatically compromised. A professional
internal auditor and internal audit activity, within the con- The examples described above generally involve rotational
text of the framework described herein, should be able assignments “into” the internal audit activity. Here again,
to recognize potential threats to objectivity in subsequent internal auditors are reminded about Standard 1130.A1
audit assignments related to previous consulting services, that governs assessing activities for which auditors were
consider mitigating factors, and take appropriate action to previously responsible. Rotational assignments also can
reduce or eliminate residual threats to objectivity. Inter- be structured so that internal auditors rotate “out” of the
nal auditors should remember Standard 1130.A1, which internal audit activity for some time period. Internal audi-
states: “Internal auditors must refrain from assessing spe- tors at all levels — staff, management, or even the CAE
cific operations for which they were previously respon- — may rotate out of internal audit and be assigned to an-
sible. Objectivity is presumed to be impaired if an inter- other department, business unit, or subsidiary of the or-
nal auditor provides assurance services for an activity for ganization. Generally, independence and objectivity con-
which the internal auditor had responsibility within the cerns will need to be evaluated only when the individual
previous year.” rotates back into the internal audit activity.
Internal auditors seeking guidance involving situations in

which the internal auditor may be assigned audit work re-
Considerations for lated to areas where they were previously employed should
refer to the guidance contained in Standard 1130 (see the
Rotational Audit Assignments appendix). This guidance is generally directed to auditors
who have joined or “rotated into” the internal audit ac-
Rotational audit assignments can create unique challeng- tivity on a permanent basis. Internal auditors who may
es and may require special considerations when evaluat- eventually rotate back to other areas of the organization
ing independence and objectivity. These special consider- (i.e., those who have joined the internal audit activity on a
ations will vary depending on the nature of the rotational temporary basis or for a rotational assignment) may need
audit assignment. Examples of some typical rotational au- to take additional actions to help ensure independence
dit assignments include: or objectivity. Rotational auditors may face challenges or
threats to their independence or objectivity that cause
• Individuals can be employed as part of an audit staff them to fear their chances of returning to the area from
on a temporary basis and later return to another de- which they rotated may be jeopardized. These challenges
partment, operating unit, or subsidiary of the orga- or threats can come from outside parties the auditors deal
nization. These assignments can run from very short with when performing audit assignments or the threats
engagements, such as two to three weeks, to extended may be self-imposed.
time periods that can last from two to three years.
• Interns or management trainees employed by the The following list presents considerations or actions that
organization may be assigned to the internal audit may need to be taken for auditors on rotational assign-
activity as part of their training and development. ments.
• The CAE position in some organizations may be sub-
• If the CAE has rotated into the internal audit activ-
ject to rotational assignments. These type of assign-
ity and is expected to return to an operating unit or
ments usually last longer — often at least two years
other subsidiary of the organization, possible safe-
— but can run as long as five or more years depend-
guards could include:
ing on the organization’s needs.
– Ensuring the CAE is aware of IIA standards Audit shops with limited resources may need to
related to independence and objectivity and the take other precautions.
Code of Ethics. – Providing additional oversight and review of the
– Ensuring that the audit committee is aware of this work performed by auditors who may be auditing
arrangement, preferably by documenting a discus- an area to which they eventually will return.
sion in the audit committee minutes. – Ensuring appropriate disclosures are included in
– Assigning a third party to oversee the audit work audit reports.
performed in the area to which the CAE will – Ensuring appropriate discussions have been held
return. with the audit committee, management, and the
– Requiring the CAE to recuse himself or herself area to be audited.
from the matters that present a problem and • For organizations that run “rotational” audit shops,
delegate all required activities in that area, includ- where some portion of the audit staff are expected
ing board reporting, to a deputy CAE or audit to eventually rotate back out to some other area of
manager when the internal audit function is large the organization, the following safeguards can be
enough. considered:
– Including an independent party (e.g., another – Ensuring all auditors are aware of IIA standards
executive or manager) to observe or participate in related to independence and objectivity and the
meetings between the CAE and acting manage- Code of Ethics.
ment of the area to which the CAE will return
in situations involving problems, audit issues, – Ensuring that “career” audit managers and super-
personnel issues, or other major discussions. visors review the work of rotational auditors.
– Considering a special review of interactions (e.g., – Refraining from assigning rotational auditors, if
reports, significant meetings, etc.) between the possible, to areas where they may return.
CAE and the area to which he or she will return – Ensuring appropriate disclosures are made and
when a decision is made if the area to which the that appropriate discussions have been held with
CAE will return is unknown or to be decided the audit committee and management.
later.
• For staff auditors and audit managers who may have
rotated into internal audit and will be rotating back
to some other operating unit or subsidiary, possible
Frameworks for Evaluating
safeguards could include: Independence and Objectivity
– Ensuring the auditor who has rotated into the
Independence and objectivity are necessary for effective
internal audit activity is aware of IIA standards
internal audit services. Each of these must be managed
related to independence and objectivity and the
effectively for internal audit activities to comply with the
Code of Ethics.
IPPF. This section provides a process and frameworks for
– Refraining from assigning rotating staff, if possi- managing threats to both independence and objectivity.
ble, to audit areas to which they will return. This These frameworks focus directly on the goals of indepen-
is more easily accomplished in larger audit shops. dence and objectivity at the organizational, engagement,
and personal levels by requiring internal auditors to identify threats to their independence or objectivity. Further, internal
auditors are required to assess and mitigate those threats, and assess whether they can be independent and objective given
the steps they have taken to mitigate the threats identified.
The independence framework recognizes that independence is primarily an organizational and structural issue. The ob-
jectivity framework recognizes that objectivity is primarily a state of mind. The assessment of threats to independence
or objectivity — and their mitigation or management — is largely a process of self-assessment by internal auditors. The
frameworks rely heavily on the professionalism of CAEs and individual auditors. Internal auditors must accept the respon-
sibility to manage and disclose threats to their own independence or objectivity.
The following table presents a process diagram for managing threats to independence or objectivity.
PROCESS FOR MANAGING THREATS TO INDEPENDENCE OR OBJECTIVITY
Assess Determine
Assess Identify Assess Proactively
Identify Presence of Reporting and Review and
Significance of Mitigating Residual Manage
Threat Unresolved Disclosure Monitoring
Threat Factors Threat Residual Threat
Threats Implications
—> —> —> —> —> —> —> —>
Identify threat. The first responsibility of auditors within the over time. The assessment of the significance of threats
managed independence or objectivity process is to identify must be considered both in the context of immediate cir-
possible threats to independence or objectivity. Any situa- cumstances and expected or reasonably possible changes
tions or circumstances that may cause internal auditors to in future circumstances.
question their ability to act freely or without bias must be
identified as a threat. Even seemingly insignificant threats Identify mitigating factors. After identifying and assessing
to independence and objectivity should be identified dur- the significance of threats to independence or objectivity,
ing this stage. Threats may arise from, but are not limited internal auditors should identify specific mitigating factors
to, issues relating to reporting or organizational deficien- that may alleviate the threats. Mitigating factors could in-
cies or to personal, financial, or task relationships. Threats clude, but are not limited to, audit committee support, job
identified by auditors should be conveyed to the CAE so security issues, reputation capital, and legal/professional
that he or she can proactively manage the threats. penalties. Internal auditors should take care to identify
relevant mitigating factors in determining whether the
Assess significance of threat. The second stage of the pro- threat can be mitigated, and if so, how to best mitigate
cess requires auditors to assess the significance of the the risk of compromised independence or objectivity.
threats to independence or objectivity identified in the
previous stage. Assessing significance requires those per- Assess residual threat. After identifying mitigating factors
forming internal audit services to consider whether threats for related threats to independence or objectivity, an in-
might compromise their independence or objectivity and ternal auditor must then determine whether these factors
whether seemingly insignificant threats could intensify have sufficiently mitigated the threats to allow the audi-
tors to perform their audit work so the risk of ineffective Determine reporting and documentation implications. Identi-
audits is minimal. The internal auditor must be cautious fied mitigating factors and steps taken to manage threats
to avoid assuming that the factors have adequately miti- to independence or objectivity must be documented ad-
gated all of their independence or objectivity risks, and equately to provide an accurate record of auditors’ efforts
should make this assessment from the perspective of per- to achieve independence and objectivity. This record will
sons relying on the auditor’s judgments. In cases where provide valuable information to the organization’s gov-
significant residual threats exist, or if the internal auditor erning body and to professional quality assurance review
is not entirely sure of his or her own independence or ob- teams. Further, if the decision is made to undertake work
jectivity, the assessment should be made or reviewed by in the presence of material, unresolved threats to inde-
the CAE or, when necessary, senior management and/or pendence or objectivity, auditors should report the de-
the audit committee. tails of the situation to the appropriate level (e.g., senior
management, the audit committee, or the board of direc-
Proactively manage residual threat. Threats to independence tors or its equivalent). Unresolved threats also should be
or objectivity that are not sufficiently offset by mitigating disclosed in audit reports. Such communication prevents
factors should be appropriately managed by auditors (to users from unknowingly deriving unwarranted assurance
the extent possible) to ensure audits can be performed from work that was performed in the presence of a sig-
without interference and bias. Suggested tools to manage nificant unresolved threat to independence or objectivity.
residual threats to independence or objectivity include,
but are not limited to, strong audit charters, third-party Review and monitoring. For every audit engagement, the
reviews, separation of audit duties, or contracting work to CAE should conduct an overall review of the audit activity
another party. and related staffing to determine whether independence
and objectivity were effectively managed. This would re-
Assess presence of unresolved threats. In this stage, audi- quire the acceptance of engagements compatible with the
tors must review any remaining threats that could not be role of the internal audit activity in the organization. In
resolved adequately through the identification of mitigat- addition, the CAE should review and monitor the pro-
ing factors or management efforts. Should the auditor cess for managing threats to independence or objectivity
determine that significant unmitigated and unmanaged for individual audit engagements. Audit committees or
threats to independence or objectivity remain, he or she, other similar bodies also can be part of the monitoring
in conjunction with appropriate parties, should then as- and review process. Finally, the internal audit profession
sess whether it is still possible or practical to perform the requires quality assessments of internal audit activities.
work. In many cases, it may be advisable to inform likely These assessments should include the process to ensure
users of the services about the unresolved threats prior to compliance with independence and objectivity standards.
beginning audit work. If, after advisement and consulta-
tion, the decision is that the work should be performed The following table presents a framework for managing
despite unresolved threats to independence or objectivity, threats to independence at all levels of auditor involve-
reporting implications should be considered carefully. ment.
MANAGED INDEPENDENCE FRAMEWORK
Level Issues
I. Individual • Management of auditor independence

• Reporting relationship of the auditor
II. Engagement • Review auditor independence

• Access to information
• Freedom from influence or control by audit client
III. Internal Audit Activity • Ensure independence is managed (including third-party outsourcing)
• Organizational placement
• Strong charters
IV. Organization • Management interest in, and support of, independence

• Human resources policies (e.g., hiring, firing, promoting)
• Level of audit committee involvement
V. Profession • Standards-setting, education, and enforcement

• Active promotion of independence management
• Monitoring of profession-level results
• Certification
FOUNDATION: NEED FOR INDEPENDENCE
Level I depicts individual internal auditor-level issues. A gagements. The CAE may want to consider outsourcing
key component of independence is the reporting relation- an engagement if independence from audit clients cannot
ship of the internal auditor. be managed to an appropriate degree.
Level II depicts engagement-level issues. At this level, Level IV depicts organization-level issues. Policies should
freedom from undue influence or control by the audit cli- be established to ensure that auditors are free to conduct
ent is critical. audits and report results without interference. Ultimately,
the CAE should be actively involved with the audit com-
Level III depicts issues at the level of the internal audit mittee or similar bodies to ensure the highest level of in-
activity. The CAE is responsible for reporting any unmiti- dependence of the audit activity.
gated residual threats to independence to the audit com-
mittee or other appropriate parties, and for ensuring that Level V depicts the profession level and encompasses
independence is appropriately managed on individual en- activities by professional bodies, such as The IIA. These
professional bodies can ensure that standards and guidance — which will enhance the internal auditor’s ability to manage
independence and guide organizations in establishing appropriate and adequate internal audit independence — are pro-
mulgated. In financial services and some other regulated industries, higher thresholds for accountability may necessitate
government review of independence documents. In other environments, regulatory encouragement and endorsement
often provide additional reinforcement on compliance with professional requirements.
The following table presents a framework for managing threats to objectivity at all levels of auditor involvement.
MANAGED OBJECTIVITY FRAMEWORK

Level Issues
I. Individual • Management of auditor objectivity

• Management of professionalism
II. Engagement • Review auditor objectivity

• Review auditor professionalism and the audit process
III. Internal Audit Activity • Rotation of employees on jobs

• Ensure objectivity is managed (including third-party outsourcing)
• Review hiring practices
IV. Organization • Management interest in objectivity

• Human resources policies (hiring, firing, promoting)
• Quality assurance reviews
V. Profession • Standards-setting, education, and enforcement

• Active promotion of objectivity management
• Monitoring of profession-level results
• Certification
FOUNDATION: NEED FOR OBJECTIVITY
Level I depicts individual internal auditor-level issues and Level II depicts engagement-level issues. The engagement
is the point at which threats to objectivity are identified level is where a review of individual auditor objectivity and
and proactively managed. It is also at this level that in- related threats would take place, as well as the standard
ternal auditor professionalism (i.e., competence, integrity, review of audit practices, procedures, and judgments. Ap-
and the use of due care) is fostered. This professionalism propriate supervision of the audit staff and review of audit
in turn cultivates objectivity. work can help encourage results that are bias-free.
Level III depicts issues at the level of the internal audit

activity. This is the point at which the CAE takes steps
to enhance objectivity, such as rotation of auditors on
engagements. The CAE also would be responsible for
reporting any unmitigated residual threats to objectivity
to the audit committee or other appropriate parties and
assuring that objectivity is appropriately managed on all
engagements.
Level IV depicts organization-level issues. The internal

audit activity must be given the freedom to appropriately
manage threats to objectivity. Management also should
actively support internal audit. Policies should be estab-
lished to ensure that auditors are not penalized for surfac-
ing problems and identifying issues in the organization.
Level V depicts the profession level and encompasses

activities by professional bodies, such as The IIA. These
professional bodies can ensure that standards and guid-
ance — which will enhance the internal auditor’s ability to
manage objectivity and offer certifications to enhance pro-
fessionalism and strengthen auditor objectivity — are pro-
mulgated. They also can help ensure process quality and
controls for objectivity through quality assurance peer re-
views. In some environments, regulatory encouragement
and endorsement often provide additional reinforcement
on compliance with professional requirements. Further,
educational programs can be offered to focus on enhanc-
ing objectivity and help auditors identify and understand
threats to objective judgments.
Author:
Steven E. Jameson, CIA, CFSA, CCSA, CPA, CBA, CFE
Contributors and Reviewers:

Jacques R. Lapointe, CIA, CGAP
Sam M. McCall, PhD, CIA, CGAP, CPA, CGFM
Melinda M. Miguel
Patricia A. MacDonald
James Rose, CIA
Appendix Interpretation:
Organizational independence is effectively achieved when
IPPF Guidance on Independence and the chief audit executive reports functionally to the board.
Objectivity Examples of functional reporting to the board involve the
The Institute of Internal Auditors’ International Standards board:
for the Professional Practice of Internal Auditing (Stan- • Approving the internal audit charter;
dards) provides the following guidance related to indepen-
• Approving the risk-based internal audit plan;
dence and objectivity.
• Receiving communications from the chief audit execu-
1100 – Independence and Objectivity (Standard) tive on the internal audit activity’s performance relative
to its plan and other matters;
The internal audit activity must be independent, and in-
ternal auditors must be objective in performing their work. • Approving decisions regarding the appointment and
removal of the chief audit executive; and
Interpretation: • Making appropriate inquiries of management and the
Independence is the freedom from conditions that threaten chief audit executive to determine whether there are
the ability of the internal audit activity to carry out internal inappropriate scope or resource limitations.
audit responsibilities in an unbiased manner. To achieve the
– 1110.A1 – The internal audit activity must be free
degree of independence necessary to effectively carry out the
from interference in determining the scope of inter-
responsibilities of the internal audit activity, the chief audit
nal auditing, performing work, and communicating
executive has direct and unrestricted access to senior man-
results.
agement and the board. This can be achieved through a du-
al-reporting relationship. Threats to independence must be
Practice Advisory 1110-1:
managed at the individual auditor, engagement, functional, Organizational Independence (Jan. 1, 2009)
and organizational levels.
1. Support from senior management and the board as-
Objectivity is an unbiased mental attitude that allows insists the internal audit activity in gaining the coop-
ternal auditors to perform engagements in such a manner eration of engagement clients and performing their
that they believe in their work product and that no qual- work free from interference.
ity compromises are made. Objectivity requires that internal 2. The chief audit executive (CAE), reporting function-
auditors do not subordinate their judgment on audit matters ally to the board and administratively to the organi-
to others. Threats to objectivity must be managed at the indi- zation’s chief executive officer, facilitates organiza-
vidual auditor, engagement, functional, and organizational tional independence. At a minimum the CAE needs
levels. to report to an individual in the organization with
sufficient authority to promote independence and to
1110 – Organizational Independence (Standard) ensure broad audit coverage, adequate consideration
The chief audit executive must report to a level within of engagement communications, and appropriate
the organization that allows the internal audit activity to action on engagement recommendations.
fulfill its responsibilities. The chief audit executive must
confirm to the board, at least annually, the organizational
independence of the internal audit activity.
3. Functional reporting to the board typically involves Interpretation:

the board:
Conflict of interest is a situation in which an internal audi-
• Approving the internal audit activity’s overall tor, who is in a position of trust, has a competing professional
charter. or personal interest. Such competing interests can make it
• Approving the internal audit risk assessment and difficult to fulfill his or her duties impartially. A conflict of
related audit plan. interest exists even if no unethical or improper act results. A
conflict of interest can create an appearance of impropriety
• Receiving communications from the CAE on the that can undermine confidence in the internal auditor, the
results of the internal audit activities or other internal audit activity, and the profession. A conflict of inter-
matters that the CAE determines are necessary, est could impair an individual’s ability to perform his or her
including private meetings with the CAE without duties and responsibilities objectively.
management present, as well as annual confirma-
tion of the internal audit activity’s organizational Practice Advisory 1120-1:
independence. Individual Objectivity (Jan. 1, 2009)
• Approving all decisions regarding the performance 1. Individual objectivity means the internal auditors
evaluation, appointment, or removal of the CAE. perform engagements in such a manner that they
• Approving the annual compensation and salary have an honest belief in their work product and that
adjustment of the CAE. no significant quality compromises are made. Inter-
nal auditors are not to be placed in situations that
• Making appropriate inquiries of management
could impair their ability to make objective profes-
and the CAE to determine whether there is audit
sional judgments.
scope or budgetary limitations that impede the
ability of the internal audit activity to execute its 2. Individual objectivity involves the chief audit execu-
responsibilities. tive (CAE) organizing staff assignments that prevent
4. Administrative reporting is the reporting relationship potential and actual conflict of interest and bias,
within the organization’s management structure that periodically obtaining information from the internal
facilitates the day-to-day operations of the internal audit staff concerning potential conflict of interest
audit activity. Administrative reporting typically and bias, and, when practicable, rotating internal
includes: audit staff assignments periodically.
• Budgeting and management accounting. 3. Review of internal audit work results before the
related engagement communications are released as-
• Human resource administration, including per- sists in providing reasonable assurance that the work
sonnel evaluations and compensation. was performed objectively.
• Internal communications and information flows.
4. The internal auditor’s objectivity is not adversely
• Administration of the internal audit activity’s poli- affected when the auditor recommends standards
cies and procedures. of control for systems or reviews procedures before
1120 – Individual Objectivity (Standard) they are implemented. The auditor’s objectivity is
Internal auditors must have an impartial, unbiased atti- considered to be impaired if the auditor designs,
tude and avoid any conflict of interest. installs, drafts procedures for, or operates such
systems.
5. The occasional performance of non-audit work – 1130.C1 – Internal auditors may provide consult-
by the internal auditor, with full disclosure in the ing services relating to operations for which they
reporting process, would not necessarily impair had previous responsibilities.
objectivity. However, it would require careful con-
– 1130.C2 – If internal auditors have potential
sideration by management and the internal auditor
impairments to independence or objectivity relating
to avoid adversely affecting the internal auditor’s
to proposed consulting services, disclosure must be
objectivity.
made to the engagement client prior to accepting
1130 – Impairment to Independence or Objectivity the engagement.
(Standard)
PA 1130-1: Impairment to Independence or
If independence or objectivity is impaired in fact or ap-
Objectivity (Jan. 1, 2009)
pearance, the details of the impairment must be disclosed
to appropriate parties. The nature of the disclosure will 1. Internal auditors are to report to the chief audit
depend upon the impairment. executive (CAE) any situations in which an actual or
potential impairment to independence or objectivity
Interpretation: may reasonably be inferred, or if they have questions
about whether a situation constitutes an impairment
Impairment to organizational independence and individual
to objectivity or independence. If the CAE deter-
objectivity may include, but is not limited to, personal con-
mines that impairment exists or may be inferred, he
flict of interest, scope limitations, restrictions on access to
or she needs to reassign the auditor(s)
records, personnel, and properties, and resource limitations,
such as funding. 2. A scope limitation is a restriction placed on the in-
ternal audit activity that precludes the activity from
The determination of appropriate parties to which the accomplishing its objectives and plans. Among other
details of an impairment to independence or objectivity things, a scope limitation may restrict the:
must be disclosed is dependent upon the expectations of
• Scope defined in the internal audit charter.
the internal audit activity’s and the chief audit executive’s
responsibilities to senior management and the board as de- • Internal audit activity’s access to records, personnel,
scribed in the internal audit charter, as well as the nature and physical properties relevant to the performance
of the impairment. of engagements.
• Approved engagement work schedule.
– 1130.A1 – Internal auditors must refrain from • Performance of necessary engagement procedures.
assessing specific operations for which they were
previously responsible. Objectivity is presumed to be • Approved staffing plan and financial budget.
impaired if an internal auditor provides assurance 3. A scope limitation, along with its potential effect,
services for an activity for which the internal audi- needs to be communicated, preferably in writing, to
tor had responsibility within the previous year. the board. The CAE needs to consider whether it
– 1130.A2 – Assurance engagements for functions is appropriate to inform the board regarding scope
over which the chief audit executive has responsibil- limitations that were previously communicated to
ity must be overseen by a party outside the internal and accepted by the board. This may be necessary
audit activity. particularly when there have been organization,
board, senior management, or other changes.
4. Internal auditors are not to accept fees, gifts, or pendence and objectivity may be impaired. At a
entertainment from an employee, client, customer, minimum, the CAE needs to consider the following
supplier, or business associate that may create the factors in assessing the impact on independence and
appearance that the auditor’s objectivity has been objectivity:
impaired. The appearance that objectivity has been • Requirements of the Code of Ethics and the Stan-
impaired may apply to current and future engage- dards.
ments conducted by the auditor. The status of
engagements is not to be considered as justification • Expectations of stakeholders that may include the
for receiving fees, gifts, or entertainment. The re- shareholders, board of directors, management, legis-
ceipt of promotional items (such as pens, calendars, lative bodies, public entities, regulatory bodies, and
or samples) that are available to employees and the public interest groups.
general public and have minimal value do not hinder • Allowances and/or restrictions contained in the inter-
internal auditors’ professional judgments. Internal nal audit charter.
auditors are to report immediately the offer of all • Disclosures required by the Standards.
material fees or gifts to their supervisors.
• Audit coverage of the activities or responsibilities
PA 1130.A1-1: Assessing Operations for Which undertaken by the internal auditor.
Internal Auditors Were Previously Responsible (Jan. • Significance of the operational function to the orga-
1, 2009) nization (in terms of revenue, expenses, reputation,
Persons transferred to, or temporarily engaged by, the in- and influence).
ternal audit activity should not be assigned to audit those • Length or duration of the assignment and scope of
activities they previously performed or for which they responsibility.
had management responsibility until at least one year has
• Adequacy of separation of duties.
elapsed. Such assignments are presumed to impair objec-
tivity, and additional consideration should be exercised • Whether there is any history or other evidence that
when supervising the engagement work and communicat- the internal auditor’s objectivity may be at risk.
ing engagement results. 3. If the internal audit charter contains specific restric-
tions or limiting language regarding the assignment
PA 1130.A2-1: Internal Audit’s Responsibility for of non-audit functions to the internal auditor, then
Other (Non-audit) Functions (Jan. 1, 2009) disclosure and discussion with management of such
1. Internal auditors are not to accept responsibility restrictions is necessary. If management insists on
for non-audit functions or duties that are subject such an assignment, then disclosure and discussion
to periodic internal audit assessments. If they have of this matter with the board is necessary. If the
this responsibility, then they are not functioning as internal audit charter is silent on this matter, the
internal auditors. guidance noted in the points below are to be consid-
ered. All the points noted below are subordinate to
2. When the internal audit activity, chief audit execu- the language of the internal audit charter.
tive (CAE), or individual internal auditor is respon-
sible for, or management is considering assigning, 4. When the internal audit activity accepts operational
an operational responsibility that the internal audit responsibilities and that operation is part of the
activity might audit, the internal auditor’s inde- internal audit plan, the CAE needs to:
• Minimize the impairment to objectivity by using a

contracted, third-party entity or external auditors to
complete audits of those areas reporting to the CAE.
• Confirm that individuals with operational respon-
sibility for those areas reporting to the CAE do not
participate in internal audits of the operation.
• Ensure that internal auditors conducting the as-
surance engagement of those areas reporting to the
CAE are supervised by, and report the results of the
assessment, to senior management and the board.
• Disclose the operational responsibilities of the inter-
nal auditor for the function, the significance of the
operation to the organization (in terms of revenue,
expenses, or other pertinent information), and the
relationship of those who audited the function.
5. The auditor’s operational responsibilities need to be
disclosed in the related audit report of those areas
reporting to the CAE and in the internal auditor’s
standard communication to the board. Results
of the internal audit may also be discussed with
management and/or other appropriate stakeholders.
Impairment disclosure does not negate the require-
ment that assurance engagements for functions over
which the CAE has responsibility need to be over-
seen by a party outside the internal audit activity.

247 Maitland Ave. F: +1-407-937-1101
– Practice Guide
INTEGRATED AUDITING
July 2012
Integrated Auditing
Table of Contents
Introduction ................................................................................................... 1
Integrated Auditing...........................................................................................
1. Why use an integrated audit methodology?........................................... 2

2. Creating an integrated audit plan......................................................... 4
3. Conducting an integrated audit............................................................. 6
4. Integrated auditing in small audit activities.......................................... 6
Appendix : Integrated audit effectiveness checklist........................................ 8
Authors and Reviewers................................................................................... 9
Integrated Auditing
Executive Summary Introduction

Historically, internal audits were associated with gain- The International Professional Practices Framework
ing information about financial systems and the financial (IPPF) is the conceptual framework that organizes au-
records of an organization or a business. However, now thoritative guidance promulgated by The Institute of In-
audits include non-financial subject areas, such as safety, ternal Auditors (IIA). The IPPF includes the Definition of
security, information systems performance, and environ- Internal Auditing, Code of Ethics, International Standards
mental concerns. With nonprofit organizations and gov- for the Professional Practice of Internal Auditing (Stan-
ernment agencies, there has been an increasing need for dards), and strongly recommended guidance such as this
performance audits, examining success in satisfying mis- Practice Guide.
sion objectives. As a result, there are audit professionals
who specialize in security audits, information systems au- When performing integrated audit engagements, internal
dits, and environmental audits. Integrating this knowledge auditors should consider the following standards outlined
base into a single audit produces a more effective outcome in the IPPF:
through a holistic approach. Decisions on risk evaluation
require an increased focus by auditors to broaden their • Standard 1200: Proficiency and Due Professional
perspectives and think outside the box. The purpose of Care.
this Practice Guide is to increase the internal auditor’s • Standard 1210: Proficiency.
awareness of integrated auditing and provide guidance on
• Standard 2010: Planning.
how to approach an integrated audit.
• Standard 2200: Engagement Planning.
Key sections in this guidance provide information to ex- • Standard 2210: Engagement Objectives.
plain:
• Standard 2230: Engagement Resource Allocation.
• Differences between an integrated audit approach • Standard 2240: Engagement Work Program.
and a non-integrated audit approach.
The chief audit executive (CAE) should consider an in-
• Advantages of an integrated audit approach.
tegrated audit approach as part of the overall methodol-
• Situations when a non-integrated audit approach ogy used by the internal audit activity. The objective is to
may be more effective that an integrated approach. achieve a more effective and efficient audit engagement.
• How to create an integrated audit plan. Current IPPF guidance provides a solid foundation for
this approach. This guide will discuss areas that enhance
• Consideration of the skills or specialized knowledge
the audit engagement by providing guidance on areas that
needed to conduct an integrated audit.
may differ between a prior traditional and current inte-
• Integrated auditing in small audit activities. grated audit approach.
The appendix in the guidance is a checklist of the key

questions a CAE should ask to ensure that the internal
audit activity is effectively using an integrated audit ap-
proach.
Integrated Auditing
1. Why use an integrated audit methodology? mon practice to use them in tandem. The primary goal is
to think outside the box and consider use of appropriate
What are the differences between an integrated audit
approach and a non-integrated audit approach? techniques to more efficiently drive the outcome of the
audit.
An integrated audit differs from a non-integrated audit in An integrated audit will require increased knowledge to
terms of scope and overall complexity. A traditional au- ensure appropriate risk identification and evaluation oc-
dit and an integrated audit differ in scope and depth and curs. The inclusion of personnel from various depart-
breadth of coverage. For example, a traditional audit may ments, external consultants, increased audit research,
focus on financial or operational aspects while an inte- training, and potential changes to the current staffing mod-
grated audit will take a more global approach that looks el may be required to enhance the audit team’s expertise.
at several aspects including, but not limited to, financial, Increased audit research and training could add time to
operational, IT, regulatory, compliance, environmental, the audit and could increase costs. The audit team should
and fraud. become familiar with available Internet audit resources
and training, which will provide the desired information
The complexity of an integrated audit is directly related to and help mitigate the increased costs. Understanding and
its broader nature, which may require: using available resources in other departments could be
an effective way to bring expertise to the audit without
• The use of multiple audit techniques to accomplish increased costs. One suggestion is for the internal audit
the desired outcome. activity to maintain an inventory of organization person-
• Increased use of external resources or increased nel who could be used as experts to supplement existing
knowledge of staff and additional skill sets. audit resource knowledge. The audit team itself will be re-
quired to have the skill set to consolidate the information
• Enhanced project management skills to ensure coor- gathered into a comprehensive risk assessment. Decisions
dination and effective completion of the audit. regarding risk evaluation will require coordination among
• A balanced approach to risk identification and rat- all parties to ensure appropriate risk ratings.
ing, especially with unfamiliar areas that have not
been traditionally reviewed. The more holistic view of an integrated audit requires the
• Increased oversight and creativity to think outside auditor to modify his or her perspective and think beyond
the box by the auditor, and communication among the traditional audit scope. A crucial role in the success
all parties involved in the engagement. of an integrated audit is the lead auditor (or auditor-in-
charge) due to the higher requirements regarding quali-
• Changes in the current staffing model. fications and audit project management capabilities. The
The internal audit activity should consider the use of mul- lead auditor should have a full understanding of the po-
tiple audit techniques when performing an integrated au- tential risk of the audit activity under all aspects of the
dit to efficiently and effectively accomplish the desired audit scope. The lead auditor will be required to have suf-
outcome of the engagement. Examples of these audit ficient soft skills to ensure effective teamwork among the
techniques can include, but are not limited to, continu- audit staff and others who will provide expertise to the
ous auditing, sampling, surveys, and data analysis. Many engagement.
of these are used in traditional audits but it is not com-
Integrated Auditing
As noted, an integrated audit may require additional re- When is a traditional audit approach more effective
sources to provide the knowledge base for risk identifica- than an integrated audit approach?
tion and evaluation. The lead auditor is responsible for The adoption of an integrated audit strategy does not
ensuring coordination among all areas and a balanced ap- mean that limited scope audits will no longer be used.
proach to risk identification and rating. The lead auditor Risk assessments may suggest that the audit of high risk in
plays a pivotal role in the successful outcome of the en- a single element should be the priority. This might result
gagement plan. The lead auditor should ensure communi- in a more narrow scope audit. Examples are an audit of
cation among all parties involved and timely completion of compliance with regulatory requirements for loan docu-
audit activities. Increased project management skills are mentation or an audit of the completeness and accuracy
required, and the use of a scheduling tool is suggested to of management information.
monitor completion.
Certain constraints may limit the effectiveness of an in-
Increased expertise may require modification of the audit tegrated audit approach, including resource or budget
staffing plan. This could include hiring staff with specific constraints. Where the audited activity is carried out by
expertise in regulatory compliance or environmental engi- a small team, it may be necessary to limit the number of
neering. The type of expertise is organization and audit- auditors involved in an assignment to avoid disruption to
scope dependent. day-to-day business activity.
The overall complexity of an integrated audit is manage- In summary, various audit approaches should be consid-
able if the right personnel are involved. This includes the ered. The CAE should determine the best approach based
willingness of departments within an organization to share on the organization, activity to be audited, and available
expertise and the knowledge and skill set of the lead audi- resources. Use of multiple audit approaches could com-
tor. The willingness to commit the appropriate resources plement each other.
is required to ensure successful outcomes of these larger,
broader scope audits.
What are the advantages of an integrated audit ap-

proach?
Adopting an integrated audit approach can increase the
internal audit activity’s credibility, resulting in increased
relevance of its work and a greater opportunity to be seen
as an essential participant in major projects from the out-
set. Many find that auditors increase their confidence and
become more proficient in other facets of the organiza-
tion’s operations, increasing their effectiveness. Other ad-
vantages include increased coverage, improved reporting
and more effective risk assessments and audit planning.
Integrated Auditing
2. Creating an integrated audit plan What additional dimensions to the audit are there?
For an organization to embrace integrated auditing, the • Extended risk identification and risk evaluation.
corporate governance framework should be sufficiently • Identification of controls over the broader scope
mature. The board1 should be satisfied that the internal area.
audit activity has sufficient technical and managerial skills
• Additional resources required, headcount and exper-
to undertake an integrated audit. These skills will include
tise, to execute the integrated audit plan.
technical abilities, and interpersonal and management
skills required to perform a broader scope audit. • Approval by the CAE to complete the integrated
audit plan.
1. There is a growing trend for boards to request audits of legal issues related to contracts, regulatory compliance, or other stakeholder concerns.
An integrated audit approach may be most effective.
2. Boards and senior management may require continuous monitoring in the organization to enable assurance across the organization, and for this
assurance to be provided in real time. An integrated audit may be the most efficient and effective approach.
3. There is a growing requirement for assurance in areas, such as IT governance and cloud computing. Assurance in these areas could be outside of the
expertise of the traditional audit department, yet could be addressed in an integrated audit.
Figure 1
Figure 1 provides examples where an integrated audit For example, is the research and development function
should be considered. producing new designs and products? Is process control
equipment and software properly safeguarded? Are finan-
Step One: Review the risk management cycle. cial instruments being appropriately tested? Are regula-
tory issues being addressed? Is sufficient lobbying being
Ask the following questions: undertaken where appropriate? Is reputation being safe-
guarded? Are there reviews of these areas taking place,
• Does the existing risk management process have and are they included in the assurance passed to senior
sufficient reach to capture all significant risks – i.e., management and the board?
events that could prevent the organization’s objec-
tives from being achieved? The answers to these or similar questions could indicate
• For the audit universe being considered, is the risk risks not addressed by the internal audit activity. When
map facing the whole organization? This will include risks of this breadth are identified, an audit of these areas
areas previously seen as outside the scope, capabil- could require a specialized level of knowledge that could
ity, or expertise of the internal audit function. be incorporated into an integrated audit plan.
1
As defined in the Standards glossary, “A board is an organization’s governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or
trustees of a nonprofit organization, or any other designated body of the organization, including the audit committee to whom the chief audit executive may functionally report.”
Integrated Auditing
Step Two: Overview of internal controls. Step Five: Calculate resources.
Having identified the broader risk universe, internal audit Calculate the resources required, in terms of existing ca-
should review controls related to these risks. pacity within the internal audit activity and within the or-
ganization, and any new capacity that would be required,
For example, within the organization there may be dupli- such as persons qualified to review specific areas. An out-
cation of control processes within the dispatch of goods put of this calculation will be the component cost of per-
for sale, such as verification of paperwork, electronic ac- forming the integrated audit.
cess systems, manual supervision, and closed caption
television (CCTV) surveillance. It is possible that all of Step Six: Prioritize auditable activities within the audit
these individual controls may be tested separately such as plan.
verification of paperwork (under a review of accounts pay-
able), testing of electronic access (under a review of the It is important that the criteria used to compare and eval-
facilities department), sample testing of manual supervi- uate risks in all areas across the organization to be ad-
sion (in a review of the dispatch department), and CCTV dressed in the integrated audit program have a common
use (in a review of the security function). scoring system.
Integrated auditing, in this example, would require that Step Seven: Combine the costs.
the audit process focus on controlling the dispatch and
recording of the items rather than individual transaction The cost of the integrated audit plan should be deter-
audit and systems audits. mined. This is a simple process of combining the costs
identified in Step Five with the prioritized list of audits
Step Three: Identify the level of expertise required. identified in Step Six.
The CAE should consider the expertise that would not Step Eight: Seek board approval.
normally fall within the historical internal audit approach.
The expertise needed to perform the review may exist The CAE should be prepared to answer the following
within the organization but not be part of the internal questions when presenting an integrated audit plan as
audit activity, or an expertise gap may be identified that part of the overall set (scheduled) of audits presented to
should be outsourced. the board for approval:
Step Four: Consider methods and timing. • Does the integrated audit approach give greater as-
surance to the board and senior management. Can
Map out the methods and timing of the audit coverage this be demonstrated?
required with the new, enlarged list of risks. This is a • Is the integrated audit plan deliverable?
straightforward process of calculating the man-hours re-
• What is the cost? Is there a cost of audit vs. assur-
quired for each task.
ance equation metric that demonstrates the benefit
of this approach?
Integrated Auditing
3. Conducting an integrated audit Internal auditors should be provided opportunities to ob-

tain the knowledge and skills necessary to undertake any
Issues for the Lead Auditor
type of audit. IIA Standard 1210: Proficiency states all
During audit planning, the lead auditor should understand internal auditors should have the knowledge, skills, and
all facets of the audit plan and what skills or specialized other competencies needed to perform their individual
knowledge may be required to execute it. The lead auditor responsibilities. However, the cost and time to train all
should build a team with the combined knowledge and internal auditors in all aspects could be prohibitive for
experience to assess the risks and controls relevant to the many organizations. The best use of resources may be to
activity under review. In building such a team, the lead use internal auditors and specialists in those areas of work
auditor should consider whether increasing the team’s lev- they are trained to perform and are most competent in
el of specialized skills or knowledge is needed to improve executing.
the quality of the audit.
Internal auditors with a broad range of skills may be a
The team leader should supervise the work of the spe- retention risk because of their increased marketability.
cialist to confirm there is sufficient evidence of any er- Excessive staff turnover may lead to a cycle of retraining
rors identified or procedural/control deficiencies reported. to replace lost staff. This possibility should not prevent
The team leader can promote development of internal organizations from adopting an aggressive training strategy
auditors by having audit staff work closely with the spe- to broaden the activity’s skill and knowledge base. CAEs
cialist to assure a transfer of skills and knowledge to the need to consider their retention strategy to prevent loss
audit team. The expectations of the work to be performed of staff. Training on new skills can be part of a positive
by the specialist should be communicated clearly by the retention strategy.
team leader.
4. Integrated auditing in small audit activi-
Staffing an integrated audit team ties
Effective audit team member selection including those Many smaller audit activities are structured to suit the
with specialized skills or knowledge is necessary to achieve nature and scale of the businesses that they serve. Such
a positive outcome from an integrated audit. Smaller audit organizations may include the following common charac-
activities may not have staff with specific audit specializa- teristics:
tions to ensure adequate staffing of the audit team. Co-
sourcing, guest auditors, or the use of internal or external • One to five auditors.
specialists are common solutions to this challenge. Spe-
• Productive internal audit hours below 7,500 a year.
cialists will complement the skill sets and organizational
knowledge of existing staff. All team members should un- • Limited level of cosourcing or outsourcing.
derstand their role and how it relates to the audit and risks A smaller audit activity may not have the infrastructure to
of the activity under review. support an integrated audit program/plan relative to what
a larger function might be able to support.
Competencies of the integrated audit activity
The CAE has options for staffing the audit department to To effectively leverage integrated auditing within a small
ensure it has the skills, knowledge, and specialties neces- audit shop, broader consideration should be given to how
sary for successful integrated audits. integrated auditing may be leveraged to support the risk
management objectives of the organization.
Integrated Auditing
IIA Standard 2000: Managing the Internal Audit Activ- pletion is essential within a smaller audit activity. Com-
ity requires that the CAE effectively manage the internal munication among the team members is critical to ensure
audit activity to ensure it adds value to the organization. that the engagement is performed in the most efficient
and effective manner. Because many small audit activities
By leveraging a risk-based model, engagement planning are in smaller organizations, auditees may have many ar-
performed through an integrated risk assessment lens can eas of responsibility and be subject to multiple priorities.
afford a smaller audit activity the opportunity for greater The emphasis in such an environment should be effective
efficiency and support effective risk coverage within the client and data management to support timely engage-
audit program and objectives. The concept of integrated ment completion and related reporting.
auditing may often include resources external to the de-
partment possessing subject matter or technical audit The engagement execution process will be the same as
expertise to better support engagement planning and that of other engagements performed in accordance with
scoping across multiple risk areas. In some cases, these the Standards. Consideration may need to be given by the
resources may be sourced from within the organization, CAE in reporting effectively on the results of work per-
provided objectivity of resources is maintained. In other formed. Engagement-specific reporting should be defined
cases, resources possessing the needed subject or tech- if required as part of engagement planning. This should
nical expertise to guide engagement scope development include expected content and format of communications,
may be externally sourced. Department staff should work guidance regarding to whom the communications should
with sourced specialists and leverage learning opportuni- be addressed, and whether others outside of the func-
ties where possible. In cases where training dollars may tion should be consulted prior to finalization and release.
support needed staff skills or knowledge for multiple en- Integrated audit engagements include the consideration
gagements, such opportunities should be provided. of multiple risk areas; any reported findings will likely
require a broader audience for socialization and related
Development of risk-based audit procedure checklists, coordination to secure needed management action plans.
scoping mechanisms, and common testing methodologies
to frame engagements best suited to an integrated model
will drive efficient execution and are useful. Common
considerations in the planning stage should include en-
gagement complexity, engagement duration, staffing, and
the value of such checklists (i.e., potential for engagement
recurrence). Such material could drive the development
of integrated audit work program templates, which will
lessen the time needed by staff to effectively complete
engagements and meet engagement objectives.
Smaller audit activities may choose to staff an engagement

based on the underlying risk coverage of the areas being
examined. CAEs are encouraged to be more involved in
higher risk or complex engagements.
Assignment of audit procedures and coordination of com-
Integrated Auditing
APPENDIX: d. Do conclusions on specific audit tests address

the control framework setup in the audit planning
Integrated audit effectiveness checklist phase?
e. Do engagement team members periodically meet
The following are key questions the CAE should ask to
to ensure all members understand what they are
ensure that the internal audit activity is effectively using
intending to accomplish, and do their conclusions
an integrated audit approach. An effective integrated
align with the framework established during plan-
audit approach would encompass all areas of coverage for
ning?
the audit. These areas of coverage can include, but not
be limited too, financial, operational, IT, environmental, f. Throughout the audit, are team members aware of
fraud, and compliance. the interrelationships of various controls to effec-
tively and properly assess the impact of any deficien-
cies?
1. Annual Audit Plan
g. Was an integrated audit approach considered?
a. Does the audit plan incorporate coverage of all high
h. If the team decided an integrated audit approach
risk areas?
would not facilitate the achievement of the stated
b. Is each auditable activity defined to ensure it covers engagement objectives, are the reasons noted?
areas within its scope?
c. Is the risk assessment performed in an integrated 4. Staffing Model
manner? For example, do the risk assessment risk
a. Does the staffing model meet the needs of the spe-
factors ensure coverage of high risk areas?
cific audit project?
d. Is the description of each factor included?
b. For the current year annual audit plan, is knowl-
edgeable external or internal staffing available for
2. Written Communication
the audit team’s support? If not, is training planned
a. Does your written issue sheet identify the root cause to broaden the knowledge of the audit team prior to
through analysis of areas within the scope of the audit initiation?
auditable activity?
b. Do recommendations ensure inclusion of areas or 5. Post-engagement Assessments
factors that would affect the root cause? a. Do the self-assessments, peer reviews, and depart-
c. Is the overall opinion, if one is used, reflective of the ment quality standards ensure integrated engage-
observations made and considered in alignment with ment objectives are achieved and align with the
the framework identified in planning? planning framework?
b. Does the assessment include discussions/feedback
3. Audit Plan (Engagement) on how team members learned from the integrated
a. Does coverage for the audit include an overall audit process (e.g., operational auditors understand-
framework? ing IT controls)?
b. Does the staffing model complement the engage- c. Do management survey responses indicate that the
ment scope? integrated approach provides value-added results.
c. Do team members understand how their work ac-
tivities interrelate and affect the audit objectives and
scope?
Integrated Auditing
Authors:
James Reinhard, CIA, CPA, CISA
Brad Ames, CPA, CISA
Andrew Robertson
Rita Thakkar, CIA, CPA, CA
Ryon Pulsipher, CPA
David Bentley
Reviewers:
Steve Hunt, CIA, CISA, CRMA, CGEIT, CRISC, CBM
Steven Jameson, CIA, CCSA, CFSA, CRMA, CPA, CFE
guidance.

247 Maitland Ave. F: +1-407-937-1101
120606
Interaction
with the Board
August 2011
Table of Contents
Executive Summary...................................................................................... 1
Introduction.................................................................................................. 1
1000 – Purpose, Authority, and Responsibility............................................ 1
Internal Auditing’s Relationship with the Board......................................... 3
A. Frequent Communication with Board Members Between Meetings ........ 3
B. Communicating Sensitive Matters........................................................... 4
C. International and Industry Considerations............................................... 5
D. CAE Turnover........................................................................................... 5
Communicating through a Risk-based Audit Plan...................................... 5
Board Reporting .......................................................................................... 6
A. Key Focus Areas...................................................................................... 6
B. System of Internal Control....................................................................... 7
C. Status of Audit Plan and Audit Resources............................................... 7
D. Distribution of Audit Reports................................................................... 7
E. Fraud/Investigations............................................................................... 7
F. Open Audit Issues.................................................................................... 8
G. Quality Assessments............................................................................... 8
H. Board Education Opportunities............................................................... 8
Administration and Coordination of Board Activities................................ 8
Executive Summary governance, risk management, compliance, and

related internal controls.
Boards and internal auditors have interlocking goals. A
strong working relationship between the two is essential
for the internal audit activity to fulfill its responsibilities
to not only the board, but also senior management, share- Introduction
holders, and other stakeholders, as appropriate. The chief The purpose of this practice guide is to assist the chief
audit executive (CAE) often reports directly to the board, audit executive (CAE) in meeting the requirements of the
depending on the organization’s governance structure. An International Professional Practices Framework (IPPF)
effective internal audit activity provides the board assur- as it relates to interacting and communicating with the
ance and suggests improvement opportunities related to board. The IPPF’s Glossary defines the board as “an or-
the organization’s governance, risk management, and re- ganization’s governing body, such as a board of directors,
lated internal controls. Board responsibilities encompass supervisory board, head of an agency or legislative body,
activities that are beyond the scope of this guide, and in board of governors or trustees of a nonprofit organization,
no way is this guide intended to be a comprehensive de- or any other designated body of the organization, includ-
scription of those responsibilities. ing the audit committee to whom the chief audit execu-
tive may functionally report.”
There are several activities, primarily accomplished
through the CAE, that are key to an effective relationship The IPPF outlines the following International Standards
between the board and the internal audit activity: for the Professional Practice of Internal Auditing (Stan-
dards), the Practice Guides, and the Practice Advisories
• Maintaining effective communication with the board pertaining to interacting and communicating with the
and the chair, including communicating openly and board:
candidly with the board.
• Developing a risk-based audit plan that meets the 1000 – Purpose, Authority, and
relevant objectives of the board charter and com- Responsibility
municating the internal audit activity’s performance The purpose, authority, and responsibility of the internal
relative to the plan. audit activity must be formally defined in an internal au-
• Formally and informally reporting to the board regu- dit charter, consistent with the Definition of Internal Au-
larly and timely. diting, the Code of Ethics, and the Standards. The chief
• Assisting the board in ensuring that its charter, audit executive must periodically review the internal au-
activities, and processes are appropriate to fulfill its dit charter and present it to senior management and the
responsibilities. board for approval.
• Ensuring that internal auditing’s charter, role, and 1100 – Independence and Objectivity
activities are clearly understood and responsive to
the needs of the board. The internal audit activity must be independent, and
internal auditors must be objective in performing their
• Assisting the board in understanding changes in the work. This can be achieved through a dual-reporting re-
regulatory and business environment relating to lationship.
1110 – Organizational Independence placed on that scope. The CAE will also submit all
The CAE must report to a level within the organization significant interim changes for approval and infor-
that allows the internal audit activity to fulfill its respon- mation.
sibilities. The CAE must confirm to the board, at least 2. The approved engagement work schedule, staffing
annually, the organizational independence of the internal plan, and financial budget, along with all significant
audit activity. interim changes, are to contain sufficient informa-
tion to enable senior management and the board to
1111 – Direct Interaction with the Board ascertain whether the internal audit activity’s objec-
The CAE must communicate and interact directly with tives and plans support those of the organization and
the board. the board and are consistent with the internal audit
charter.
Practice Guide: Chief Audit Executive – Appoint-
ment, Performance Evaluation and Termination. Standard 2060 – Reporting to Senior Management
and the Board
The CAE will have a high degree of interaction with se-
The CAE must report periodically to senior management
nior management and the board and thus needs to dem-
and the board on the internal audit activity’s purpose, au-
onstrate the right attributes and skills for the position.
thority, responsibility, and performance relative to its plan.
1300/1310 – Quality Assurance and Improvement Reporting must also include significant risk exposures and
Program control issues, including fraud risks, governance issues,
and other matters needed or requested by senior manage-
The CAE must develop and maintain a quality assurance ment and the board.
and improvement program that covers all aspects of the
internal audit activity. The quality assurance and im- Practice Advisory 2060-1 – Reporting to Senior Man-
provement program must include both internal and exter- agement and the Board
nal assessments.
The frequency and content of reporting are determined
2020 - Communication and Approval in discussion with senior management and the board and
depend on the importance of the information to be com-
The CAE must communicate the internal audit activity’s municated and the urgency of the related actions to be
plans and resource requirements, including significant in- taken by senior management or the board.
terim changes, to senior management and the board for
review and approval. The CAE must also communicate 2420 – Quality of Communications
the impact of resource limitations.
Communications must be accurate, objective, clear, con-
Practice Advisory 2020-1 – Communication and Ap- cise, constructive, complete, and timely.
proval
Practice Advisory 2420-1 – Quality of
1. The CAE will submit annually to senior manage- Communications
ment and the board for review and approval a
1. Gather, evaluate, and summarize data and evidence
summary of the internal audit plan, work schedule,
with care and precision.
staffing plan, and financial budget. This summary
will inform senior management and the board of the 2. Derive and express observations, conclusions, and
scope of internal audit work and of any limitations
recommendations without prejudice, partisanship, of the internal audit activity also may contribute through
personal interests, and the undue influence of others. participation at board meetings and in preparing materi-
als for the board. Furthermore, the entire internal audit
3. Improve clarity by avoiding unnecessary technical
activity contributes to the relationship by thoroughly and
language and providing all significant and relevant
professionally executing projects and analyzing the results
information in context.
of those projects. A strong relationship is based on trust
4. Develop communications with the objective of mak- and credibility that should grow and strengthen through
ing each element meaningful but succinct. timely and relevant interactions and communications.
5. Adopt a useful, positive, and well-meaning content The CAE and board should establish a clear understand-
and tone that focuses on the organization’s objec- ing of the expectations of the internal audit activity. These
tives. expectations are formally presented in the board and inter-
nal audit activity charters and annual plans, which should
6. Ensure communication is consistent with the orga-
be periodically reviewed and approved. Most boards have
nization’s style and culture.
additional expectations that evolve based on company per-
7. Plan the timing of the presentation of engagement formance, industry trends, and perspectives held by each
results to avoid undue delay. board member. The CAE should understand these expec-
tations so that he or she can take the appropriate steps
2440 – Disseminating Results to meet them. The tasks and responsibilities of a CAE
The CAE must communicate results to the appropriate from one organization to another vary widely based on the
parties. organization’s governance structure and the nature of the
CAE’s functional reporting relationship to the board.
Practice Advisory 2440-2 – Communicating Sensi-
tive Information Within and Outside the Chain of A. Frequent Communication with Board
Command Members Between Meetings
Once the internal auditor has deemed the new informa- Clear, relevant, and frequent communication between the
tion substantial and credible, he or she would normally CAE and members of the board is essential. Due to the
communicate the information — in a timely manner — to complexity and significance of today’s business and re-
senior management and the board. lated risks, frequent discussions with the chair and other
members of the board may need to supplement regular
formal board meetings and communications. Depending
on the organizations and individuals involved, it may be
Internal Auditing’s Relationship best for the communications to follow a predefined pro-
tocol, such as:
with the Board
• Regular meetings with individual board members
A strong relationship between internal auditing and the
with a pre-set agenda.
board enhances the internal audit activity’s ability to ac-
complish the objectives defined in the audit charter. The • More frequent meetings between the board chair
CAE generally is the primary conduit for developing and and CAE depending on the issues facing the organi-
maintaining that relationship; however, other members zation and the preferences of the chair.
• Periodic communications on relevant issues. tional risk, as well as ethically questionable behaviors and
In many organizations, the relationship between the CAE actions (including fraud) could arise at any time. Con-
and board members is very cohesive, which tends to lead sequently, the CAE must possess highly developed oral
to more ad-hoc communications — not just about critical and written communication skills to convey information
issues but also less pressing issues as well. Many CAEs to all concerned stakeholders in a timely and appropri-
find the interaction with board members on routine busi- ate fashion. Effective communication of sensitive issues
ness issues to be helpful to building a relationship as a depends on the establishment of effective formal and in-
trusted business advisor and in maintaining awareness of formal communication channels and strong relationships
what’s going on in the organization. with management and board members that are based on
trust and credibility.
• Regardless of the communication media used, basic
guidelines include: Depending on the facts and circumstances of the sensi-
tive issue, the CAE should consider consulting with key
• Make sure information is timely, relevant, fact based,
members of management such as the general counsel
balanced, objective, and complete.
(head of legal department). The following basic guidelines
• Consider formality and tone of communications to should be considered:
ensure they are appropriate.
• Avoid making presumptuous comments without suf- • Facts and details are available and documented.
ficient facts. • Findings can be verified and opinions and conjecture
• Consider the repercussions that commentary on are clearly articulated as such.
control weaknesses and other management failures • Communication is timely and urgent (and truly of a
can create. sensitive nature).
• Document communications if required for profes- The CAE may be faced with a situation where manage-
sional or business reasons. ment attempts to delay reporting of an issue, leaves out
• Do not wait until there is a need to address a sensi- some or all of the critical elements, or disagrees that the
tive or contentious issue to start building a strong issue should be reported to the board. The CAE should
relationship with the board. carefully consider the significance of such issues and de-
termine to what extent the issue should be elevated. The
• Manage potential conflict between the board and
CAE should also consider his or her obligations with re-
management in accordance with the responsibilities
spect to the IIA’s Code of Ethics, the internal audit char-
established in the internal audit charter.
ter, the organization’s code of conduct, and applicable
Standard 2420 – Quality of Communications and the re- laws and regulations. The best approach will depend on
lated Practice Advisory 2420-1 – Quality of Communica- the sensitivity and complexity of the issue, the culture of
tions provides guidance for good communications to the the organization, the governance structure, and applicable
board whether in a formal meeting setting or a less formal laws/regulations.
face-to-face meeting.
When it is determined that a sensitive issue should be
B. Communicating Sensitive Matters elevated, it is essential that the CAE communicate di-
The necessity to deal with sensitive issues such as senior rectly with the board chair or similar person of author-
management’s failure to manage strategic and/or opera- ity depending on the governance structure. Communica-
tion, especially on significant or sensitive issues, is best D. CAE Turnover

handled when based on a professional, trusted relation-
The board typically has oversight of the turnover of the
ship with the chair and other board members. The CAE
CAE, if not the responsibility to approve/direct the depar-
should prepare documentation of the communication that
ture of a CAE and the hiring of a replacement. The role of
includes relevant support. The CAE should recognize that
the board in this activity helps ensure the CAE’s indepen-
formal or informal discussions of sensitive issues with in-
dence and that he or she has the competencies necessary
dividuals other than the chair might jeopardize the CAE’s
to perform in the position.
credibility with the chair and indirectly with other mem-
bers of the board and management.
When first appointed to this position, or exiting this po-
sition, the CAE should work closely with the board to
The Practice Advisory 2440-2 – Communicating Sensitive
ensure complete transparency as to the reasons for the
Information Within and Outside the Chain of Command
change.
provides additional guidance.
The Practice Guide: Chief Audit Executive – Appointment,
C. International and Industry Considerations
Performance Evaluation and Termination provides addi-
Governance and ownership structures differ from coun- tional guidance.
try to country and among industries. In some countries,
there exists a two tier board system that differentiates be-
tween the supervisory function (supervisory board) and
the operative management function (board of manage-
ment). In such cases, the internal audit activity may not Communicating through a
report directly to the board, but to the owner or even to
senior management, such as the chief executive officer or
Risk-based Audit Plan
financial officer or chief operating officer. Although basic One of the most important aspects of interacting with the
organizational structures vary, the principles and practices board is gaining their confidence that the internal audit
outlined in this Practice Guide are still relevant. Most activity is fully engaged with senior management across
statements referring to the “board” in this practice guide the organization to monitor and mitigate risks, alert to
should then be interpreted as the executive to whom the emerging risks, aligned with stakeholders on risk view, and
CAE reports (disciplinary / administratively). In addition, has an audit plan that demonstrates how Internal Audit
there should be a defined reporting relationship to the su- is assisting the board in meeting their responsibilities for
pervisory board. In most cases, the audit committee is the oversight of risk management, compliance, and related in-
subcommittee of the supervisory board. Reporting to the ternal controls.
audit committee should be coordinated with the executive
to whom the CAE reports (if not the CEO) and the CEO. An audit plan can be a framework and mechanism for
communication to the board as the CAE should provide
The CAE should also ensure that the IIA activity appro- the board with regular updates on its work and the status
priately coordinates with other internal functions, such of the audit plan. The board should approve the audit plan
as regulatory compliance, law, human resources, security and contribute to its development.
and others.
The CAE should use risk assessment techniques in devel-
oping the internal audit activity’s plan and in determining
priorities for allocating internal audit resources. Risk as-

sessment is used to select areas to include in the internal
Board Reporting
audit activity’s plan. Also, the CAE should seek guidance The board, like everyone else, has limited time and in-
on what the board and the company considers important creasing responsibilities. The CAE’s communication,
to assist in assessing risks, prioritizing projects and allocat- handouts, and reports to the board should be risk-focused.
ing audit resources. A good guideline for interacting with the board is to un-
derstand where its interests lie and to set expectations to
A significant part of laying the groundwork for prepara- report on those areas on an exception basis. Additionally,
tion of a risk-based audit plan is having an understanding the reporting requirements of the internal audit charter
of the risk appetite of your primary stakeholders – gener- should be considered.
ally the board and senior management. Risk appetite is
the level of risk that the stakeholders are willing to accept For formal board meetings, all parties can be better served
in the course of doing business. It is a key factor in de- if read-only materials are relevant, complete, and risk-
veloping a risk-based audit plan. Understanding the risk based, leaving the face-to-face meeting time for further
appetite can be achieved by reviewing the organization’s discussions of meaningful items or questions.
risk management philosophy or risk policy; holding dis-
cussions with the group responsible for risk management, Listed below are areas to consider for formal board com-
the board, and senior management; and, with respect to munications.
financial reporting risk, meeting with the chief financial
officer and the external auditor. The CAE incorporates A. Key Focus Areas
these inputs, develops the audit plan, and presents the
Key focus areas are a combination of critical matters that
proposed audit plan to management for review and the
warrant board attention — the risk themes established
board for approval.
during audit planning, any emerging risk themes that
come up during the year, and issues related to special as-
Regularly, e.g. quarterly, brief discussions with the board
signments. The CAE should ensure that communications
on risk themes, their continued relevance, and emerging
are appropriately calibrated to enable the board to under-
risks should be held. A review/update of the audit plan
stand the severity or significance of issues.
may be necessary to ensure that it continues to include
the most relevant risks. The board should also understand
The board should be kept current on what has been done:
which significant risks are not addressed, and whether
results to date, improvement plans, progress against im-
sufficient resources are available to meet requirements.
provement plans, current assessment of the risk area, and
In short, the board needs to understand how Internal Au-
what has been planned in all key areas/themes.
dit is assisting the board to meet its responsibilities.
Although this document advocates limiting reporting to
For further information on leveraging Enterprise Risk Man-
the board to significant items and on an exception basis,
agement into the audit planning process, see PA 2010-2:
the board needs insight into what is going on throughout
Using the Risk Management Process in Internal
the organization, even in lower risk areas. Today’s develop-
Audit Planning (July 2009) and PA 2050-2: Assur-
ing trend may be tomorrow’s emerging risk issue. Trend
ance Maps (July 2009).
analysis of audit results can often reveal areas where man-
agement attention is warranted, and only a slight change
in emphasis may stop a trend from becoming an emerging diting activity’s charter and the impact on independence
issue. and objectivity.
B. System of Internal Control The CAE should also discuss the internal audit activity’s
One of the elementary measures of the fundamental ability to complete the audit plan, including whether in-
soundness of an organization is the maturity and efficacy ternal auditing has appropriate resources and whether
of the system of internal control. Similar to trends, in- management has imposed any scope limitations on the
ternal auditing’s analysis of and thoughts on the system work of the internal auditors. Additionally, the CAE
of internal control can serve to both keep the board in- should provide the board with visibility into qualifica-
formed and provide the impetus for management to draft tions of the audit personnel so it can evaluate whether
and implement improvements. It is particularly important adequate resources are allocated to the activity.
for management, through effective monitoring activities,
to ensure that the system of internal control continues to D. Distribution of Audit Reports
operate effectively over time. Internal audit should report The decision to distribute audit reports to the board de-
to the board on the effectiveness of monitoring activities pends on board preferences. The CAE should, however,
undertaken by management. provide the board with an explanation of the scope and
findings of the audits performed. This could be accom-
The CAE should understand if the board values an opin- plished by providing the board with the audit reports, an
ion on governance, risk management, and internal con- executive summary of each audit, or a summary of the
trols and the scope of work required to provide such as- findings on a periodic basis. The CAE should consider
surance. the input of senior management and consult with the
board to determine the most appropriate approach to pro-
C. Status of Audit Plan and Audit Resources viding this information.
The CAE should discuss the status of the audit plan with
the board on a regular basis. The CAE should inform E. Fraud/Investigations
the board of changes to the audit plan and the rationale Fraud/Investigations are often the responsibility of the in-
behind them. The CAE and the board should establish ternal audit activity. In such a situation, internal auditing
an understanding regarding changes to the plan and the should bring to the attention of the board fraud/investiga-
protocol for seeking board approval of such changes. tions of a significant nature, or those including personnel
Generally changes to the audit plan should be expected, who are critical to the control structure. The CAE should
depending on the dynamics of each organization and understand the board’s expectations regarding the types
changes in its industry and operating environment. of investigations and depth of information that should be
communicated.
The audit plan may contemplate internal auditing’s par-
ticipation in organization initiatives in an advisory or The board should be aware (similar to Key Focus Areas)
consulting capacity. In such cases, the board should be of the nature of a potential incident, what is being done
aware of the scope of these projects, and the CAE should to investigate and understand both the impact of the in-
determine the most appropriate content for reporting to cident and ultimately what allowed it to occur, corrective
the board. Such reporting should consider addressing the action plans and implementation progress, and disciplin-
nature of these services in the context of the internal au- ary actions.
F. Open Audit Issues ments being made to the internal audit activity resulting
from the KPI analysis. Also, results of the external and
Although management is generally responsible for resolv-
internal assessments (as referred to in IIA Standard 1300)
ing issues, in accordance with IIA Standard 2500 – Moni-
should be communicated to the board, and the CAE
toring Progress, the internal audit activity should monitor
should indicate how the recommendations will be imple-
the resolution of open audit issues. Significant open audit
mented. Additional information on developing and using
issues that are not expected to be resolved on schedule,
KPIs as part of an internal assessment program (IIA Stan-
or have fallen behind their due date, should be reported
dard 1311) can be found in the Practice Guide, Measur-
to the board along with a recovery plan and a view as to
ing Internal Audit Effectiveness and Efficiency.
the viability of the recovery plan. Future meetings should
include a report on monitoring of the progress of the im-
H. Board Education Opportunities
provement plan.
The CAE can play a critical role in ensuring that the board
G. Quality Assessments is aware of current topics to help it accomplish its obliga-
tions as described in its charter. The CAE should consider
The internal audit activity should develop an appropriate
the needs of the board by helping it stay current on issues
internal assessment program and should identify appro-
that impact its ability to accomplish its duties, such as
priate Key Performance Indicators (KPIs). KPIs of the in-
assisting the board in understanding changes in the regu-
ternal audit activity provide a platform to discuss issues
latory and business environment relating to governance,
relative to the internal audit activity and potentially gain
risk management, compliance, and related controls. The
board support in making necessary changes. Establish-
CAE should consider providing the board with relevant
ment of KPIs should be done in a group that includes se-
educational materials to help it understand the risks of
nior management, as well as the board, and there should
its environment (e.g., industry risks, regulatory changes,
be consensus that the KPIs chosen are meaningful and
accounting rule changes).
appropriate.
In addition to being a driver in the discussion of issues

relative to the department, KPIs are relevant in the evalu-
ation of the CAE’s performance. Once the KPIs are un- Administration and
derstood and agreed to by the board, frequent reporting of
actual versus desired performance with detailed explana- Coordination of Board Activities
tions is essential. In cases where the relevant KPIs cannot The CAE may play a direct role as a valued adviser to the
be met, timely notification to the board should be pre- board by assisting with its administrative and governance
pared and include: responsibilities, reviewing its activities, and suggesting
enhancements. Examples of activities that the CAE can
• Type of performance indicator involved. undertake, depending on the governance structure of the
• Discrepancy between desired performance and ac- organization, are:
tual performance.
• Reason for the divergence. • Encourage the board to conduct periodic reviews of
its activities and practices to evaluate whether its
• Plans for closing the gap. activities are a) accomplishing the board’s charter,
The KPIs should provide some indication as to improve- and b) consistent with leading practices. This may
involve facilitating a self-assessment using surveys, • Provide information on the coordination with and
benchmarking against external guidelines, etc. oversight of other control, assurance, and monitoring
• Review the charter for the board at least annually functions (e.g., risk management, compliance, secu-
and advise the board whether the charter addresses rity, business continuity, legal, ethics, environmental,
all the responsibilities expected by relevant regula- and external auditing).
tory bodies.
• Maintain a planning agenda for board meetings that
details all required activities to ascertain whether
they have been completed and facilitates report-
ing to the board annually that it has completed all
required duties.
• Draft the board meeting agenda for the board chair,
or equivalent, facilitate distribution of the material
to the board members, and review or prepare the
minutes of the board meetings.
• Meet periodically with the board chair, or equiva-
lent, to discuss whether the materials and informa-
tion being furnished to the board are meeting its
needs.
• Work with the board to determine if any educational
or informational sessions or presentations would be
helpful; for example, sessions on risk and controls
for new board members or updates on regulatory
changes impacting board responsibilities.
• Inquire of the board whether the frequency of the
meetings and the time allotted to the board are suf-
ficient.
• Review with the board the functional and adminis-
trative reporting lines of the internal audit activity
to ensure that the organizational structure in place
allows adequate independence for internal auditors
in accordance with IIA Standard 1110.
• Assist the board in evaluating the adequacy of the
audit personnel and budget, and the scope and re-
sults of the internal audit activities, to ensure there
are no staffing, budgetary or scope limitations that
impede the ability of internal auditing to execute its
responsibilities.
Authors:
Richard A. Schmidt, CIA
Kevin D, Lacy, CIA
Erich Schumann, CIA

James Rose, CIA

247 Maitland Ave. F: +1-407-937-1101
Internal Audit and the
Second Line of Defense
Practice Guide / Internal Audit and the Second Line of Defense
Table of Contents
Table of Contents .................................................................................................................................. 2
Executive Summary ............................................................................................................................... 3
Introduction ............................................................................................................................................ 3
Business Significance and Related Risks ........................................................................................... 3
Related IIA Standards ........................................................................................................................ 4
Definition of Key Concepts ................................................................................................................. 5
Overview of Good Governance .............................................................................................................. 7
The Three Lines of Defense Model .................................................................................................... 7
Independence and Objectivity ............................................................................................................ 8
Role of the CAE ..................................................................................................................................... 9
Organizational Governance and Three Lines of Defense ................................................................... 9
Identifying Gaps and Potential Conflicts Within the Three Lines of Defense ....................................... 9
Internal Audit and Second Line of Defense Responsibilities .................................................................. 9
Second Line of Defense Functions ..................................................................................................... 9
Internal Audit and Second Line of Defense Activities........................................................................ 10
Safeguards to Maintain Independence and Objectivity......................................................................... 11
Discussions on Dual Responsibilities ............................................................................................... 11
Safeguards to Maintain Independence and Objectivity ..................................................................... 11
Transition Plan ..................................................................................................................................... 13
Management’s Acceptance of Risks to Independence and Objectivity ................................................. 14
Resources ........................................................................................................................................... 15
Related IIA Guidance ....................................................................................................................... 15
Authors ................................................................................................................................................ 15
2
Executive Summary
As governance and monitoring functions collaborate more closely to avoid duplication of effort,
internal audit may be asked to take on responsibilities for risk management, compliance,
regulatory oversight, and other governance activities.
The chief audit executive (CAE) plays a critical role in navigating between internal audit’s
traditional role and assuming responsibilities for risk management, compliance, and other
governance functions. The CAE should be held accountable for preserving independence and
objectivity, communicating with management and the board, and confirming management’s
acceptance of risk to internal audit’s independence and/or auditor objectivity. To navigate
through these competing challenges, internal auditors can look to The IIA’s guidance on
effective risk management and control, and promulgated standards related to independence
and objectivity.
Introduction
In January 2013, The IIA issued the Position Paper, The Three Lines of Defense in Effective
Risk Management and Internal Control. The position paper outlines risk and control
responsibilities within organizations and states that if dual responsibilities are assigned to a
single person or department, consideration should be given to separating these functions at a
later time. However, business constraints or other considerations may limit total separation
among governance functions. This practice guide provides guidance to ensure independence
and objectivity are not compromised in situations where internal audit may be responsible for
second line of defense functions.
This guidance is not applicable where country and/or industry-specific standards may prohibit
internal audit from performing second line of defense activities.
Business Significance and Related Risks
When following the Three Lines of Defense model, responsibilities among various functions of
the organization are generally classified as follows:
 First line of defense: operational management functions that own and manage risks.
 Second line of defense: risk management and compliance functions that monitor
risks.
 Third line of defense: an internal audit function that provides independent assurance.
When internal audit is also responsible for second line of defense functions, such as risk
management and compliance, it is essential to implement safeguards to protect independence
and/or objectivity and to routinely validate that the safeguards are operating effectively.
3
Management and the board should clearly understand the risks and appropriate controls
needed when internal audit undertakes second line of defense functions.
Related IIA Standards
The following standards from the International Standards for the Professional Practice of
Internal Auditing (Standards) relate to internal audit assuming second line of defense
functions. Additional related IIA guidance documents are identified in Resources.
1100 – Independence and Objectivity

The internal audit activity must be independent, and internal auditors must be objective in
performing their work.
1110 – Organizational Independence

The chief audit executive must report to a level within the organization that allows the internal
audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at
least annually, the organizational independence of the internal audit activity.
1120 – Individual Objectivity

Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.
1130 – Impairment to Independence or Objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment
must be disclosed to appropriate parties. The nature of the disclosure will depend upon the
impairment.
1130.A1 – Internal auditors must refrain from assessing specific operations for which
they were previously responsible. Objectivity is presumed to be impaired if an internal
auditor provides assurance services for an activity for which the internal auditor had
responsibility within the previous year.
1130.A2 – Assurance engagements for functions over which the chief audit executive
has responsibility must be overseen by a party outside the internal audit activity.
1130.C1 – Internal auditors may provide consulting services relating to operations for
which they had previous responsibilities.
1130.C2 – If internal auditors have potential impairments to independence or objectivity
relating to proposed consulting services, disclosure must be made to the engagement
client prior to accepting the engagement.
4
1322 – Disclosure of Nonconformance

When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the
Standards impacts the overall scope or operation of the internal audit activity, the chief audit
executive must disclose the nonconformance and the impact to senior management and the
board.
2050 – Coordination
The chief audit executive should share information and coordinate activities with other internal
and external providers of assurance and consulting services to ensure proper coverage and
minimize duplication of efforts.
2100 – Nature of Work

The internal audit activity must evaluate and contribute to the improvement of governance, risk
management, and control processes using a systematic and disciplined approach.
2500 – Monitoring Progress

The chief audit executive must establish and maintain a system to monitor the disposition of
results communicated to management.
2500.A1 – The chief audit executive must establish a follow-up process to monitor and
ensure that management actions have been effectively implemented or that senior
management has accepted the risk of not taking action.
2500.C1 – The internal audit activity must monitor the disposition of results of consulting
engagements to the extent agreed upon with the client.
2600 – Communicating the Acceptance of Risks

When the chief audit executive concludes that management has accepted a level of risk that
may be unacceptable to the organization, the chief audit executive must discuss the matter
with senior management. If the chief audit executive determines that the matter has not been
resolved, the chief audit executive must communicate the matter to the board.
Definition of Key Concepts

Assurance Functions – Functions that provide assurance on the effectiveness of governance,
risk management, and control.
Assurance Services – An objective examination of evidence for the purpose of providing an
independent assessment on governance, risk management, and control processes for the
organization. Examples may include financial, performance, compliance, system security, and
due diligence engagements.1
1 The International Profession Practices Framework (IPPF), pp. 42-43. 2013.
5
Board – The highest level of governing body charged with the responsibility to direct and/or
oversee the activities and management of the organization. Typically, this includes an
independent group of directors (e.g., a board of directors, a supervisory board, or a board of
governors or trustees). If such a group does not exist, the “board” may refer to the head of the
organization. “Board” may refer to an audit committee to which the governing body has
delegated certain functions.2
Chief Audit Executive – Chief audit executive (CAE) describes a person in a senior position
responsible for effectively managing the internal audit activity in accordance with the internal
audit charter and the Definition of Internal Auditing, the Code of Ethics, and the Standards. The
chief audit executive or others reporting to the chief audit executive will have appropriate
professional certifications and qualifications. The specific job title of the chief audit executive
may vary across organizations.3
Impairment – Impairment to organizational independence and individual objectivity may include
personal conflict of interest, scope limitations, restrictions on access to records, personnel, and
properties, and resource limitations (funding).4
Independence – The freedom from conditions that threaten the ability of internal audit to carry
out internal audit responsibilities in an unbiased manner.5
Internal Audit Activity – A department, division, team of consultants, or other practitioner(s) that
provides independent, objective assurance and consulting services designed to add value and
improve an organization's operations. The internal audit activity helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of governance, risk management, and control processes.6, 7
Objectivity – An unbiased mental attitude that allows internal auditors to perform engagements
in such a manner that they believe in their work product and that no quality compromises are
made. Objectivity requires that internal auditors do not subordinate their judgment on audit
matters to others.8
2 Ibid.
3 Ibid.
4 Ibid.
5 Ibid.
6 Ibid.
7 Note: the terms “internal audit” and “internal audit activity” are used interchangeably in this practice guide.
8 Ibid.
6
Overview of Good Governance

The Three Lines of Defense Model
The Three Lines of Defense model9, as illustrated in Figure 1, describes responsibilities for
effective risk management and control as follows:
 Management is primarily responsible for monitoring and controlling processes, and

is the first line of defense in risk management.
 The second line of defense consists of separately established risk, control, and
compliance oversight functions that ensure properly designed processes and
controls are in place within the first line of defense and are operating effectively. The
nature and types of these functions are dependent on many factors including
industry and organizational maturity.
 Functions, such as internal audit, that provide independent assurance over
processes and controls are considered the third line of defense.
Figure 1
Assuming effectiveness, each line of defense contributes to healthy organizational governance

by ensuring objectives are achieved in the context of the social, regulatory, and market
environments. Both the second and third lines provide oversight and/or assurance over risk
9 The IIA’s Position Paper, The Three Lines of Defense in Effective Risk Management and Control, 2013.
7
management. The key differences between the second and third lines of defense are the
concepts of independence and objectivity.
Standard 1100 states that the internal audit activity must be independent, and internal auditors
must be objective in performing their work. Conditions that threaten the ability of any
organizational function, including internal audit, to perform its responsibilities in an unbiased
manner have the potential to compromise independence and objectivity.
According to the interpretation of Standard 1110, organizational independence is effectively

achieved when the chief audit executive reports functionally to the board, which includes board
approval of the appointment, remuneration, and removal of the chief audit executive. Leaders
in the second line of defense typically report functionally to organizational management and as
a result, the second line of defense is not considered independent.
Benefits can be derived by an organization when the second and third lines of defense
collaborate. Standard 2050 states that the chief audit executive should share information and
coordinate activities with other internal and external providers of assurance and consulting
services to ensure proper coverage and minimize duplication of efforts. The IIA’s Practice
Guide, Coordinating Risk Management and Assurance, provides guidance to the CAE on
effective coordination and reporting so that resources are used effectively and key risks are not
missed or misjudged.
Boards and management rely on internal audit to provide assurance on the adequacy of
governance, risk management, and controls. This reliance is enhanced by internal audit’s
independence and internal auditors’ objectivity. As governance and risk management activities
expand, additional safeguards and controls are needed to maintain independence and
objectivity.
8
Role of the CAE
Organizational Governance and Three Lines of Defense
In accordance with Standard 2100, internal audit must evaluate and contribute to the
improvement of governance, risk management, and control processes using a systematic and
disciplined approach. If certain second line of defense functions are deemed critical to
monitoring and/or providing assurance on the effectiveness of risk management and internal
control, the CAE must evaluate the effectiveness of those functions relative to this objective.
The scope of the evaluation will be driven by risk and the extent of reliance placed on these
functions.
The IIA’s Practice Guide, Reliance by Internal Audit on Other Assurance Providers, provides
guidance to the CAE on an approach for relying on the assurance provided by other internal or
external assurance functions, which is useful for assessing the effectiveness of the function.
Identifying Gaps and Potential Conflicts Within the Three Lines of Defense
When assessing second line of defense functions, the CAE may identify gaps, conflicts, or
duplication of efforts. Consistent with Standard 2100, the CAE should work with stakeholders
to recommend enhancements that improve governance, risk management, and internal
controls. Outcomes may include collaborating between organizational areas to reduce overlap
between functions and segregating responsibilities to properly maintain independence and
objectivity. The following sections provide guidance to the CAE on maintaining independence
and objectivity in situations where internal audit assumes second line of defense
responsibilities.
Internal Audit and Second Line of Defense Responsibilities

Second Line of Defense Functions
Many organizations have asked or required the CAE to assume additional second line of
defense responsibilities. This is often due to the size or maturity of the organization, or the
result of new risk management or compliance initiatives undertaken by the organization. If not
managed properly, objectivity, which is crucial to providing assurance to management and the
board, could be impaired.
Regulatory standards and widely adopted industry practices may require specific second line
of defense activities, such as risk management coordination or compliance review. For
example, second line of defense responsibilities could be related to requirements for the
9
financial services industry, independent audits of quality management systems (ISO 9001),
European Commission’s Eco-Management and Audit Scheme (EMAS) to evaluate and report
environmental performance, and United States Occupational Safety and Health
Administration’s (OSHA) enforcement of work-related health and safety rules.
Internal Audit and Second Line of Defense Activities
Responsibilities may become blurred across internal audit and second line of defense
functions, even in organizations with robust risk management and governance programs and
resources to support both. The CAE may be asked to assume second line of defense activities
in situations such as:
 New regulatory requirement: A new regulation requires substantial effort associated

with new policies, procedures, testing, and risk management activities.
 Change in business: An organization may enter into a new geographical market or
new business segment and be subject to new regulations or risk management
activities.
 Resource constraints: An organization may experience resource constraints or
changes in staff, such as when the leader of a second line of defense function
leaves the organization.
 Efficiency: Management and/or the board may determine it is more efficient for
internal audit to perform compliance or other second line of defense functions.
Internal audit may be the preferred choice due to its expertise in applying risk management
and governance principles in existing, new, and emerging areas. As an example, management
across many organizations asked internal audit to take the lead compliance role when
Sarbanes-Oxley legislation became required for U.S. public companies. The blending of
internal audit with second line of defense activities may also occur without additional regulatory
requirements or resource constraints, as management may determine that internal audit is the
best fit for certain activities, such as where:
 The organization is small and cannot support distinct control and assurance functions.
 Management and the board do not believe the degree of risk warrants separate
functions for certain second and third line of defense activities.
 Internal audit has the necessary skill set or relevant expertise for specific risk
management and/or compliance responsibilities.
 Management and/or the board do not understand or appropriately value the importance
of an independent and objective third line of defense.
 Internal audit responds to cost-cutting pressures or other factors, and assumes
responsibilities for the good of the organization.
10
If second line of defense responsibilities are assumed by internal audit, the CAE should
communicate the risks to management and the board. It is important for the CAE,
management, and the board to understand the risks involved with assuming such duties,
regardless of whether it will be a temporary or long-term arrangement. Either way, proper
safeguards and controls need to be agreed upon, implemented, and periodically validated to
ensure that internal audit’s objectivity is properly maintained.
Safeguards to Maintain Independence and Objectivity

Corporate governance arrangements vary considerably among organizations, depending on
factors such as the size of the organization, industry sector, availability of resources, culture,
risk tolerance, make-up of the board, and the relative risk and importance of certain second
line of defense activities to the entity. The effectiveness of internal audit’s primary function —
to provide independent, objective assurance and consulting services — should be protected.
Any impairment to independence and/or objectivity needs to be elevated and evaluated.
Discussions on Dual Responsibilities

Standard 1110 requires confirmation to the board, at least annually, about the status of the
internal audit function regarding organizational independence. Standard 1130 requires the
disclosure of any impairment, in fact or appearance, to appropriate parties. The nature of the
disclosure will depend on the impairment and should state the following:
 Situation.
 Consequences and risks to internal audit’s independence and objectivity.
 Safeguards.
 Transition plan, if applicable.
Safeguards to Maintain Independence and Objectivity

If management and the board accept the risk of internal audit assuming second line of defense
activities, safeguards and controls need to be put in place to ensure independence and
objectivity are not compromised. The safeguards noted below should be considered for each
second line of defense activity assigned to internal audit.
 Discussion of risks with management and the board.

 Acceptance and ownership of the risks by management.
 Clear definition and assignment of roles for each activity where second line of defense
activities overlap with third line of defense activities, including the following documented
components:
o Impact and risks to the organization and internal audit.
11
o Roles, responsibilities, and segregation of duties.

o Controls put in place to validate that agreed upon safeguards are operating
effectively.
o Determination of whether the assignment is temporary or long-term.
 If temporary, a transition plan is needed (see next section).
o Documented acceptance and approval by senior management and the board.
o Second line of defense activities performed by internal audit should be
referenced in the charter and/or included in the board update, at least annually.
 Periodic (at least annual) evaluation of reporting lines and responsibilities by
 The nature of internal audit’s roles should be clearly stated in the audit charter.
 Periodic independent assessment of internal audit’s second line of defense roles and
the efficacy of the independence, objectivity, and assurance provisions.
o The CAE should include a review of internal audit’s second line of defense roles,
in conjunction with its quality assurance and improvement program or on a more
frequent basis, depending on the level of risk.
 Where safeguards to maintain internal audit’s independence and objectivity are not
possible, the Standards requires that responsibility for performing the second line of
defense activity be reassigned elsewhere in the organization or outsourced to a third-
party provider.
Internal audit should take care to avoid activities that compromise their independence and/or
objectivity, including:
 Setting the risk appetite.

 Owning or managing risks.
 Assuming responsibilities for accounting, business development, and other first line
of defense functions.
 Making risk response decisions on management’s behalf.
 Implementing or assuming accountability for risk management or governance
processes.
 Providing assurance on second line of defense activities performed by internal audit.
12
Transition Plan
If the assignment of second line of defense responsibilities to internal audit is deemed to be
temporary, a formal transition plan to relieve internal audit from such responsibilities should be
developed, discussed with management and the board, and implemented.
The transition plan should consider matters such as:
 Organizational/structural needs: Internal audit may need to adjust reporting

relationships as individuals or groups cease their role in second line of defense
activities. If these responsibilities are moving elsewhere in the organization, structural
changes may be required to ensure independence and objectivity.
 Resources: Resources may be required to train individuals elsewhere in the
organization for second line of defense duties or to transition internal audit staff to these
roles.
 Timeline and tasks: Responsibilities and target dates for key milestones should be
documented.
 Maintaining independence during transition: In accordance with Standard 1130.A1,
individuals must refrain from assessing specific matters for which they were previously
responsible for a period of at least one year. This would apply to individuals who have
been involved in second line of defense activities while working within internal audit.
 Monitoring progress: The CAE should monitor progress of the transition plan.
 Transparency: Ongoing communication with management and the board regarding
adherence to the transition plan and schedule. Significant changes or delays should be
evaluated and approved by the board.
Internal audit’s audit plan may include provisions to validate the completeness and
effectiveness of the transition of second line of defense duties to the identified resources (a
third party may need to lead this audit effort due to independence and objectivity implications).
During the development and implementation of the transition plan, the CAE, along with senior
management and the board, should consider the long-term organizational structure to ensure
proper tone at the top; appropriateness of corporate governance programs; statutory,
regulatory, and other mandatory compliance requirements; risk management culture;
alignment with the three lines of defense approach; and the size and complexity of the
organization.
13
Management’s Acceptance of Risks to Independence and

Objectivity
Organizations may opt to keep certain second line of defense responsibilities integrated within
internal audit. This may occur in smaller organizations, as well as areas where management
has concluded there is minimal risk or impact to the organization. The decision to integrate
second and third lines of defense responsibilities as a longer-term strategy should be
thoughtful, deliberate, and based on a risk analysis and substantial discussion with
Management’s acceptance of risks associated with blending internal audit with second line of
defense activities may be regarded as suitable for a period of time, but it should not be
regarded as permanent. Changes to the business, regulatory landscape, and underlying risks
(either the inherent risks or application of risks on the business) can overwhelm the resources
allocated to risk management. An evaluation, including a refresh of the risk analysis, should
occur with management and the board at least annually to evaluate internal audit’s current role
in performing second line of defense activities.
The overlap of second and third line of defense activities is an excellent focus area for a quality
assurance and improvement program. Internal audit should reassess the risks to
independence and objectivity, communicate these to management, consider transition plans,
and obtain management’s acceptance of these risks on a periodic basis. The CAE may also
ask external assessors to include such matters in the scope of their assessments.
As governance and risk management activities continue to evolve, internal audit may be asked
or required by management to assume second line of defense responsibilities. Management
and the board should evaluate, discuss, and accept the associated risks before blending these
duties. The CAE should ensure that appropriate safeguards and controls, identified in this
guidance, are implemented and periodically validated to maintain internal audit’s
independence and objectivity.
14
Resources
Related IIA Guidance
Following are IIA resources that may be useful for internal auditors to reference when faced with taking
on responsibilities for risk management, compliance, regulatory oversight, and other governance
activities.
Practice Advisory 2050-1: Coordination
Practice Advisory 2500.A1-1: Follow-up Process
The IIA’s Practice Guide, Coordinating Risk Management and Assurance, 2012
The IIA’s Practice Guide, Reliance by Internal Audit on Other Assurance Providers, 2011
The IIA’s Position Paper, Three Lines of Defense in Effective Risk Management and Control, 2013.
Authors
Caroline Glynn, CIA
Douglas Hileman, CRMA, CPEA
Hans-Peter Lerchner, CIA
Thomas Sanglier, CIA, CRMA
15
About The IIA

Springs, Fla. For more information, visit www.globaliia.org or www.theiia.org.

Practice Guides
Practice Guides are a type of Supplemental Guidance that provide detailed guidance for
conducting internal audit activities. They include detailed processes and procedures, such as
tools and techniques, programs, and step-by-step approaches, as well as examples of
deliverables. As part of the IPPF guidance, conformance with Practice Guides is recommended
(non-mandatory). Practice Guides are endorsed by The IIA through formal review and approval
processes.
A Global Technologies Audit Guide (GTAG) is a type of Practice Guide that is written in
straightforward business language to address a timely issue related to information technology
management, control, or security.
Disclaimer
Copyright
January 2016
16
Internal Auditing
and Fraud
December 2009
Table of Contents
Introduction.................................................................................................................................................................... 1
Executive Summary....................................................................................................................................................... 2
Definition of Fraud........................................................................................................................................................ 4
Fraud Awareness............................................................................................................................................................. 5
A. Reasons for Fraud................................................................................................................................................... 5
B. Examples of Fraud.................................................................................................................................................. 7
C. Potential Fraud Indicators...................................................................................................................................... 8
Typical Roles & Responsibilities for Fraud.............................................................................................................. 10
Internal Audit Responsibilities During Audit Engagement................................................................................... 13
A. Conducting Audit Engagements........................................................................................................................... 13
B. Internal Auditor Skepticism.................................................................................................................................. 13
C. Communicating With the Board........................................................................................................................... 14
Fraud Risk Assessment................................................................................................................................................ 16
A. Identifying Relevant Fraud Risk Factors............................................................................................................... 16
B. Identifying Potential Fraud Schemes and Prioritizing Them Based on Risk.......................................................... 17
C. Mapping Existing Controls to Potential Fraud Schemes and Identifying Gaps.................................................... 17
D. Testing Operating Effectiveness of Fraud Prevention and Detection Controls..................................................... 17
E. Documenting and Reporting on the Fraud Risk Assessment................................................................................ 18
Fraud Prevention and Detection............................................................................................................................... 19
A. Fraud Prevention.................................................................................................................................................. 19
B. Fraud Training...................................................................................................................................................... 20
C. Fraud Detection................................................................................................................................................... 21
Fraud Investigation...................................................................................................................................................... 23
A. Investigation Process............................................................................................................................................. 23
B. Internal Auditing’s Role in Investigations.............................................................................................................. 23
C. Conducting the Investigation............................................................................................................................... 24
D. Reporting Fraud Investigations............................................................................................................................. 25
E. Resolution of Fraud Incidents............................................................................................................................... 26
F. Communications of Fraud Incidents..................................................................................................................... 26
G. Analysis of Lessons Learned................................................................................................................................. 27
Forming an Opinion on Internal Controls Related to Fraud................................................................................ 29
Appendix A – Reference Material............................................................................................................................. 30
Appendix B – Questions To Consider....................................................................................................................... 32
Appendix C – Fraud Risk Assessment Template...................................................................................................... 33
IIA Standard 2060: Reporting to Senior

Introduction Management and the Board
The purpose of this Practice Guide is to increase the internal The chief audit executive (CAE) must report periodically
auditor’s awareness of fraud and provide guidance on how to senior management and the board on the internal audit
to address fraud risks on internal audit engagements. activity’s purpose, authority, responsibility, and perfor-
mance relative to its plan. Reporting must also include
The International Professional Practices Framework significant risk exposures and control issues, including
(IPPF) outlines the following International Standards for fraud risks, governance issues, and other matters needed
the Professional Practice of Internal Auditing (Standards) or requested by senior management and the board.
pertaining to fraud and the internal auditor’s role in detect-
ing, preventing, and monitoring fraud risks and addressing IIA Standard 2120: Risk Management
those risks in audits and investigations.
2120.A2 – The internal audit activity must evaluate the
IIA Standard 1200: Proficiency and Due potential for the occurrence of fraud and how the organi-
Professional Care zation manages fraud risk.
1210.A2 – Internal auditors must have sufficient knowl- IIA Standard 2210: Engagement Objectives
edge to evaluate the risk of fraud and the manner in which
it is managed by the organization, but are not expected to 2210.A2 – Internal auditors must consider the probabil-
have the expertise of a person whose primary responsibility of significant errors, fraud, noncompliance, and other
ity is detecting and investigating fraud. exposures when developing the engagement objectives.
IIA Standard 1220: Due Professional Care In addition, see Appendix A – Reference Material which
lists IPPF Practice Advisories that discuss fraud.
1220.A1 – Internal auditors must exercise due professional
care by considering the:
• Extent of work needed to achieve the engagement’s

objectives.
• Related complexity, materiality, or significance of

matters to which assurance procedures are applied.
• Adequacy and effectiveness of governance, risk

management, and control processes.
• Probability of significant errors, fraud, or non-

compliance.
• Cost of assurance in relation to potential benefits.
INTERNAL AUDITING AND FRAUD
Ongoing reviews — an internal audit activity that

Executive Summary
•
considers fraud risk in every audit and performs

appropriate procedures based on fraud risk.
Fraud negatively impacts organizations in many ways
including financial, reputation, psychological and social • Prevention and detection — efforts taken to reduce
implications. According to various surveys, monetary opportunities for fraud to occur and persuading
losses from fraud are significant. However, the full cost of individuals not to commit fraud because of the
fraud is immeasurable in terms of time, productivity, and likelihood of detection and punishment.
reputation including customer relationships. Depending
on the severity of the loss, organizations can be irrepa- • Investigation — procedures and resources to fully
rably harmed due to the financial impact of fraud activity. investigate and report a suspected fraud event.
Therefore, it is important for organizations to have a
strong fraud program that includes awareness, prevention, An effective internal audit activity can be extremely help-
and detection programs, as well as a fraud risk assessment ful in addressing fraud. Although management and the
process to identify fraud risks within the organization. board are ultimately responsible for fraud deterrence,
internal auditors can assist management by determining
Frauds can be committed by an employee at any level whether the organization has adequate internal controls
within an organization, as well as by those outside the and fosters an adequate control environment.
organization. There are three common characteristics of
most frauds: There are various approaches that the CAE may use in con-
sidering fraud while conducting internal audit activities:
• Pressure or incentive — the need the fraudster is
trying to satisfy by committing the fraud. • Auditing management controls over fraud. This
includes policies, awareness practices, tone at the
• Opportunity — the fraudster’s ability to commit top, board and senior management governance (the
the fraud. control environment), as well as related practices,
such as risk assessment, assessing the adequacy
• Rationalization — the fraudster’s ability to justify of preventive and detected controls in managing
the fraud in his or her mind. fraud risk within organizational tolerances, incident
management, investigations, and recovery prac-
An effective fraud management program includes: tices. Internal auditing should allocate resources to
fraud-related activities in line with the risk of fraud
• Company ethics policy — “tone at the top” from relative to other organizational risks.
senior management.
• Auditing to detect likely fraud by testing high-
• Fraud awareness — understanding the nature, risk processes, with the intention of looking for
causes, and characteristics of fraud. indicators of fraud, within the organization and
with external business relationships. For example,
• Fraud risk assessment — evaluating the risk of testing payroll for phantom employees, or test-
various types of fraud. ing vendor invoices for overcharges, matching
vendor addresses with employee addresses to
2 / The Institute of Internal Auditors

detect fictitious vendors, or reviewing databases

for duplicate transactions.
• Considering fraud as part of every audit. For exam-

ple, brainstorming about fraud risk, evaluating
fraud controls, designing procedures that consider
the fraud risk, or evaluating errors to determine
whether they could be an indication of fraud. The
cumulative results may provide perspective on
whether management’s awareness and risk man-
agement programs have been implemented effec-
tively across the organization.
• Consulting assignments help management iden-

tify and assess risk and determine the adequacy of
the control environment for process reviews, new
business ventures, or IT applications. Facilitation
of management’s self-assessment is another exam-
ple of evaluating fraud risk, ensuring controls are
in place to mitigate those risks, and who is moni-
toring results.
This document will discuss fraud and provide general

guidance to help internal auditors comply with profes-
sional Standards. To learn more about detecting and con-
trolling fraud, see Appendix A — Reference Material.
Definition of Fraud
Fraud encompasses a wide range of irregularities and illegal
acts characterized by intentional deception or misrepre-
sentation. The Institute of Internal Auditors’ (IIA’s) IPPF
defines fraud as:
“Any illegal act characterized by deceit, concealment,

or violation of trust. These acts are not dependent upon
the threat of violence or physical force. Frauds are per-
petrated by parties and organizations to obtain money,
property, or services; to avoid payment or loss of ser-
vices; or to secure personal or business advantage.”
Another definition of fraud from the publication “Managing

the Business Risk of Fraud: A Practical Guide,” sponsored
by The IIA, the American Institute of Certified Public
Accountants, and the Association of Certified Fraud
Examiners, states:
“Fraud is any intentional act or omission designed to

deceive others, resulting in the victim suffering a loss
and/or the perpetrator achieving a gain.”
Frauds are characterized by intentional deception or mis-

representation. This practice guide may refer to certain
actions as “fraud,” which may also be legally defined and/
or commonly known as corruption.

Fraud can range from minor employee theft and unpro-

Fraud Awareness ductive behavior to misappropriation of assets, fraudulent
financial reporting, or Ponzi schemes used to defraud inves-
Increased levels of fraud, a heightened regulatory environ- tors. However, the risk of fraud can be reduced through
ment, and pointed questions from internal and external a combination of prevention, detection, and deterrence
auditors and boards of directors have caused companies measures. Most fraudulent schemes can be avoided with
to increase vigilance in their efforts to address fraud. basic internal controls and effective audits and oversight.
Even amidst a culture of heightened awareness, however, Unfortunately, fraud can be difficult to detect because it
an organization may be the victim of fraud and yet be often involves concealment through falsification of docu-
unaware of this reality. Fraudulent schemes are often ments or collusion among members of management,
ongoing crimes that can last for months or even years employees, or third-parties.
before detection, making it difficult to measure the losses
associated with fraud. Many fraud schemes are not publi- A. Reasons for Fraud
cized or even detected, making it difficult to measure the
losses associated with fraud. Fraud losses that are known Most frauds begin small and continue to grow as the
and confirmed make clear that the cost is high. The true scheme remains undetected. For example, perpetrators
cost of fraud, however, is even higher than just the loss of often view initial stealing as temporary borrowings that
money, given its impact on time, productivity, reputation, will be fixed before anyone notices the problem. The bor-
and customer relationships. rowing accelerates and the perpetrators take positions that
are indefensible or develop a scheme for the concealment
Corruption — the misuse of entrusted power for private and attempt to avoid discovery. As the fraud continues to
gain — and fraud have adversely impacted numerous grow, hopefully, it will be detected by a fellow employee,
organizations. The high cost of corporate governance, management, or an internal or external auditor.
associated fines, and penalties have been a direct result of
corporate frauds. Business executives have been involved Perpetrators primarily exploit inadequate internal controls
in litigation, and in extreme circumstances, faced jail sen- for their own gain, resulting in substantial damage to the
tences when their global operations were not in compli- organization. The typical fraudster is a male of middle
ance with legal and regulatory requirements. age, employed by the organization for a number of years.
He often works in the financial department and typically
Fraud has negatively impacted organizations in different commits the deed on his own terms, driven by a desire
ways, including financial, reputational, psychological, and for money and opportunity. Many studies indicate that
social. Organizations have been forced to cease operations most frauds are committed by members of management.
due to the impact of financial and reputation damages, Managers generally have access to confidential infor-
and the psychological and social effects have been espe- mation, enabling them to override internal controls and
cially devastating to the employees of the organizations. inflict greater damage to the organization than lower level
Victims of fraud also suffer mental and emotional harm staff members. Fraud perpetrators tend to be in positions
and stress-related physical effects in addition to their of trust, educated, heads of households, and members of
financial losses. The victims have felt robbed of not only community organizations who are motivated by a personal
their money, but also their security, self-esteem, and dig- need and are able to rationalize their actions.
nity. The bottom line is that fraud left unchecked can be
detrimental to any organization.
Without minimizing individualized circumstances of each commit the fraud on smaller transactions in
fraudulent scheme, the following are three common char- other months.
acteristics of frauds.
• Rationalization is the ability for a person to jus-
• Pressure or incentive represents a need that an tify a fraud, a crucial component in most frauds.
individual attempts to satisfy by committing fraud. Rationalization involves a person reconciling his/
Often, pressure comes from a significant financial her behavior (e.g., stealing) with the commonly
need or problem. This may include the need to accepted notions of decency and trust. For exam-
keep one’s job or earn a bonus. In publicly traded ple, the fraudster places himself or herself as
companies, there may be pressure to meet or beat the priority (self-centered), rather than the well-
analysts’ estimates. For example, a large bonus being of the organization or society as a whole.
or other financial award can be earned based on The person may believe committing fraud is justi-
meeting certain performance goals. The fraudster fied in the context of saving a family member or
has a desire to maintain his or her position in the loved one so he/she can pay for high medical bills.
organization and to retain a certain standard of Other times, the person simply labels the theft as
living to compete with perceived peers. “borrowing,” and intends to pay the stolen money
back at a later time. Some people will do things
• Opportunity is the ability to commit fraud and that are defined as unacceptable behavior by the
not be detected. Since fraudsters do not want to organization, yet are commonplace in their cul-
be caught in their actions, they must believe that ture or were accepted by previous employers. As
their activities will not be detected. Opportunity a result, they can rationalize their behavior as the
is created by weak internal controls, poor man- rules don’t apply to them.
agement, lack of board oversight, and/or through
the use of one’s position and authority to override || Management might reduce rationalization
controls. Failure to establish adequate procedures through its actions, for example, by imple-
to detect fraudulent activity also increases the menting fair work and pay practices, equi-
opportunities for fraud to occur. A process may table and consistent treatment of employees,
be designed properly for typical conditions, how- and tone at the top (management modeling
ever, a window of opportunity may arise creating the behavior expected of employees).
circumstances for the control to fail. Persons in
positions of authority may be able to create oppor- Gaining insight into the motivations of a fraudster and
tunities to override existing controls because recognizing the threat that exposes every organization are
subordinates or weak controls allow them to cir- the first steps in establishing and implementing an effec-
cumvent the established controls. tive and sustainable fraud risk management system. Of
the three elements, opportunity is the one that organiza-
|| Opportunity often occurs because the fraud- tions can influence the most. Organizations need proce-
ster knows what the auditor will do — the dures and internal controls that avoid putting employees
when, what, and how much of the auditor’s in positions to commit fraud and that detect fraudulent
procedures. For example, if the fraudster activities if they occur.
knows that the auditor always tests only large
transactions in December, the fraudster can

Although internal auditors may not know the exact motive or expense report claiming reimbursement for per-
rationalization leading to fraud, they need to identify oppor- sonal travel, nonexistent meals, extra mileage, etc.
tunities for fraud. Internal auditors also need to understand
fraud schemes and scenarios, as well as be aware of the • Payroll fraud occurs when the fraudster causes
signs that point to fraud and how to prevent it. the organization to issue a payment by making
false claims for compensation. For example, an
B. Examples of Fraud employee claims overtime for hours not worked or
an employee adds ghost employees to the payroll
Fraud is perpetrated by a person knowing that it could and receives the paycheck.
result in some unauthorized benefit to him or her, to the
organization, or to another person, and can be perpe- • Financial statement fraud involves misrepresent-
trated by persons outside or inside the organization. Some ing the financial statements, often by overstating
common fraud schemes include: assets or revenue or understating liabilities and
expenses. Financial statement fraud is typically
• Asset misappropriation involves stealing cash or perpetrated by organization managers who seek
assets (supplies, inventory, equipment, and infor- to enhance the economic appearance of the orga-
mation) from the organization. In many cases, the nization. Members of management may benefit
perpetrator tries to conceal the theft, usually by directly from the fraud by selling stock, receiving
adjusting the records. performance bonuses, or using the false report to
conceal another fraud.
• Skimming occurs when cash is stolen from an
organization before it is recorded on the orga- • Information misrepresentation involves provid-
nization’s books and records. For example, an ing false information, usually to those outside
employee accepts payment from a customer, but the organization. Most often this involves fraud-
does not record the sale. ulent financial statements, although falsifying
information used as performance measures can
• Disbursement fraud occurs when a person causes also occur.
the organization to issue a payment for fictitious
goods or services, inflated invoices, or invoices for • Corruption is the misuse of entrusted power for
personal purchases. For example, an employee can private gain. Corruption includes bribery and other
create a shell company and then bill the employer improper uses of power. Corruption is often an
for nonexistent services. Other examples include off-book fraud, meaning that there is little finan-
fraudulent health care claims (billings for services cial statement evidence available to prove that the
not performed, unbundled billings instead of bun- crime occurred. Corrupt employees do not have to
dled billings), unemployment insurance claims fraudulently change financial statements to cover
by people who are working, or pension or social up their crimes; they simply receive cash payments
security claims for people who have died. under the table. In most cases, these crimes are
uncovered through tips or complaints from third-
• Expense reimbursement fraud occurs when an parties, often via a fraud hotline. Corruption often
employee is paid for fictitious or inflated expenses. involves the purchasing function. Any employee
For example, an employee submits a fraudulent
authorized to spend an organization’s money is a C. Potential Fraud Indicators

possible candidate for corruption.
Fraudsters often display certain behaviors or characteristics
• Bribery is the offering, giving, receiving, or solic- that may serve as warning signs or red flags. For example,
iting of anything of value to influence an out- some perpetrators act unusually irritable, some suddenly
come. Bribes may be offered to key employees start spending lavishly, and some become increasingly
or managers such as purchasing agents who have secretive about their activities. However, the presence
discretion in awarding business to vendors. In of those symptoms does not in and of itself signify that a
the typical case, a purchasing agent accepts kick- fraud is occurring or will occur in the future.
backs to favor an outside vendor in buying goods
or services. The flip side of offering or receiv- Red flags may relate to time, frequency, place, amount,
ing anything of value is demanding it as a con- or personality. Red flags include overrides of controls by
dition of awarding business, termed economic management or officers, irregular or poorly explained man-
extortion. Another example is a corrupt lending agement activities, consistently exceeding goals/objectives
officer who demands a kickback in exchange for regardless of changing business conditions and/or com-
approving a loan. Those paying bribes tend to be petition, preponderance of non-routine transactions or
commissioned salespeople or intermediaries for journal entries, problems or delays in providing requested
outside vendors. information, and significant or unusual changes in cus-
tomers or suppliers. Red flags also include transactions
• A conflict of interest occurs where an employee, that lack documentation or normal approval, employees
manager, or executive of an organization has an or management hand-delivering checks, customer com-
undisclosed personal economic interest in a trans- plaints about delivery, and poor IT access controls such as
action that adversely affects the organization or poor password controls.
the shareholders’ interests.
Personal red flags include living beyond one’s means; con-
• A diversion is an act to divert a potentially profit- veying dissatisfaction with the job to fellow employees;
able transaction to an employee or outsider that unusually close association with suppliers; severe personal
would normally generate profits for the organiza- financial losses; addiction to drugs, alcohol or gambling;
tion. change in personal circumstances; and developing outside
business interests. In addition, there are fraudsters who
• Unauthorized or illegal use or theft of confiden- consistently rationalize poor performance, perceive beat-
tial or proprietary information to wrongly benefit ing the system to be an intellectual challenge, provide
someone. unreliable communications and reports, and rarely take
vacations or sick time (and when they are absent, no one
• Related-party activity is a situation where one party performs their work).
receives some benefit not obtainable in a normal
arm’s length transaction. These red flags are often indicators of misconduct, and an
organization’s management and internal auditors need to
• Tax evasion is intentional reporting of false infor- be trained to understand and identify the potential warn-
mation on a tax return to reduce taxes owed. ing signs of fraudulent conduct. While none of these mean
an employee is actually committing fraud, a combination

of these factors could indicate a need for inquiries and

heightened audit attention.
Awareness of fraud schemes is developed through periodic

assessment by management and internal auditors, train-
ing of employees, and frequent communication between
management and employees.
stakeholders. The committee’s role is to evaluate manage-

Typical Roles/Responsibilities ment’s identification of fraud risks and the implementa-
for Fraud Prevention/Detection tion of anti-fraud measures, and to provide the tone at
the top that fraud will not be accepted in any form. The
audit committee hires external auditors to report on the
An oversight function is important to effectively prevent financial statements of the organization and provide rec-
or deter fraud. Oversight can take many forms and can be ommendations on internal control. The external auditors
performed by many within and outside the organization, report to the audit committee and not to management.
under the overall oversight of the board of directors.
The audit committee usually has oversight of the inter-
Board of Directors nal audit activity. IIA Standard 2060: Reporting to the
Board and Senior Management states that “the CAE
The board of directors has responsibility for effective and must report periodically to senior management and to
responsible corporate fraud governance. The role of the the board on the internal audit activity’s purpose, author-
board is to oversee and monitor management’s actions to ity, responsibility, and performance relative to its plan.
manage fraud risks. Specifically, the board evaluates man- Reporting must include significant risk exposures and
agement’s identification of fraud risks, implementation of control issues, including fraud risks, governance issues,
anti-fraud measures, and creation of the tone at the top. and other matters needed or requested by senior man-
Since the board is the organization’s highest authority, it is agement and the board.”
responsible for setting the tone for fraud risk management
within an organization. The board can implement poli- The audit committee is responsible for overseeing con-
cies that encourage ethical behavior, including processes trols to prevent or detect management fraud. In this role,
for employees, customers, and external business relation- the audit committee is responsible for overseeing senior
ship (EBR) partners to report instances where those poli- management’s compliance with appropriate financial
cies are violated. The board may monitor the organization’s reporting and for preventing senior management over-
fraud risk management effectiveness by appointing one ride of controls or other inappropriate influence over the
executive-level member of management to be responsible reporting process.
for coordinating fraud risk management and reporting to
the board. To set the appropriate tone at the top, the board Management
of directors needs proper governance. This encompasses
all aspects of board governance, including independent Management is responsible for overseeing the activities of
board members who exercise control over board informa- employees and typically does so by implementing and moni-
tion, agenda, access to management and outside advisers, toring processes and internal controls. In addition, manage-
and who independently carry out the responsibilities of the ment assesses the vulnerability of the entity to fraudulent
nominating/governance, compensation, audit, and other activity. Fraud can occur in any organization, but the degree
committees. and detail involved in the risk assessment may correspond
with the size and complexity of the organization.
Audit Committee
Management is responsible for establishing and main-
An audit committee of the board of directors is the taining an effective internal control system at a reason-
independent eyes and ears of the investors and other able cost. In addition, management’s discussions with

investigators and legal counsel play an important role in of internal controls. In addition, they may assist manage-
developing controls over the investigation process, includ- ment in establishing effective fraud prevention measures
ing developing policies and procedures for effective fraud by knowing the organization’s strengths and weaknesses
investigations and for handling the results of investiga- and providing consulting expertise.
tions, reporting, and communications.
The importance an organization attaches to its internal
Legal Counsel audit activity is an indication of the organization’s com-
mitment to effective internal control and fraud risk man-
The roles and responsibilities of the in-house counsel agement. The internal auditor’s roles in relation to fraud
will often be governed by the laws of each jurisdiction. A risk management could include initial or full investiga-
lawyer generally acts in the best interest of the organization of suspected fraud, root cause analysis and control
tion and also is required to preserve client confidences. improvement recommendations, monitoring of a report-
The discovery of fraud can bring these two ethical duties ing/whistleblower hotline, and providing ethics training
into a potential conflict. When faced with constituents in sessions. If assigned such duties, internal auditing has a
an organization who intend to engage in fraud, a lawyer responsibility to obtain sufficient skills and competencies,
can urge reconsideration, advise the constituents to seek including knowledge of fraud schemes, investigation tech-
a separate legal opinion, or refer the matter to a higher niques, and laws.
authority within the organization. The in-house counsel
may decide to resign upon learning about potential or Internal auditors may conduct proactive auditing to search
ongoing fraud, especially if the counsel’s work product is for misappropriation of assets and information misrepre-
used to further the fraud. If counsel resigns, the general sentation. This may include the use of computer-assisted
counsel or outside counsel can document the measures audit techniques, including data mining, to detect par-
taken to notify the wrongdoing members of the organiza- ticular types of fraud. Internal auditors also can employ
tion of the illegality of their 1) intended or ongoing con- analytical and other procedures to find unusual items and
duct, 2) the consequences of that conduct, and 3) the perform detailed analyses of high-risk accounts and trans-
counsel’s attempt to deter the conduct. actions to identify potential fraud.
Internal Auditors At the appropriate time when enough information has

been obtained, the CAE should keep senior management
Internal auditors evaluate risks faced by their organizations and the audit committee informed of special investiga-
based on audit plans with appropriate testing. Internal tions in-progress and completed.
auditors need to be alert to the signs and possibilities
of fraud within an organization. While external auditors External Auditors
focus on misstatements in the financial statements that
are material, internal auditors are often in a better position The organization’s external auditors have a responsibility
to detect the symptoms that accompany fraud. Internal to comply with professional standards and to plan and per-
auditors usually have a continual presence in the organiza- form the audit of the organization’s financial statements to
tion that provides them with a better understanding of the obtain reasonable assurance about whether the financial
organization and its control systems. Specifically, internal statements are free of material misstatement and whether
auditors can assist in the deterrence of fraud by exam- the misstatements were caused by error or fraud. Whenever
ining and evaluating the adequacy and the effectiveness the external auditor has determined there is evidence that
fraud may exist, the external auditor’s professional stan- open dialogue. Also, a fraud investigator’s work done at
dards typically require that the matter be brought to the the direction of legal counsel may constitute protected
attention of an appropriate level of management. The attorney work product.
external auditor typically reports fraud involving senior
management directly to those charged with governance The lead investigator usually determines the knowledge,
(e.g., the audit committee). skills, and other competencies needed to carry out the
investigation effectively and assigns competent and appro-
Loss Prevention Manager priate people to the team. This process could include
assurance that there is no potential conflict of interest
The loss prevention (LP) manager (or company security with those being investigated or with any other employees
group) deals with areas of business risk such as crimes, of the organization.
disasters, accidents, and waste, which have the capabili-
ties to cause business failure. As the organization’s secu- Other Employees
rity expert, the LP manager is in an advantageous position
to lead risk communications between other risk and line Every employee has a role to play in fighting fraud.
managers. By identifying and understanding potential and Employees are the eyes and ears of the organization,
actual patterns within the business, the LP manager can and they should be empowered to maintain a workplace
provide valuable insights to management on judging the of integrity. Employees can report suspicions of fraud to
effectiveness of the organization’s risk management pro- an employee hotline, the internal audit department, or a
cesses. The LP manager usually works closely with inter- member of management. To deter and detect fraud and
nal auditors to identify areas of weak internal controls abuse, many experts believe an employee hotline that is
within the organization. appropriately monitored is the single most cost-effective
fraud detection and deterrence measure.
Fraud Investigators
Fraud investigators are usually responsible for the detec-

tion and investigation of fraud, and the recovery of assets.
They also perform a role in fraud prevention. Senior man-
agement and the audit committee need to support the
investigators to let all stakeholders know the business
entity is ready to respond quickly and appropriately to
fraud risks. The organizational alignment of a fraud inves-
tigation unit (FIU) can vary. If a FIU is based within a
corporate security department, it may be beneficial for
them to work closely with or be involved in internal audit
activities so the FIU employees will have access to inter-
nal and independent auditor findings. Fraud investigators
often work closely with legal counsel to bring legal action
against the perpetrator. Communications between fraud
investigators and the legal counsel are likely to be con-
sidered confidential (e.g., privileged) to enable free and

Have sufficient knowledge of fraud to identify red

Internal Audit Responsibilities
•
flags indicating fraud may have been committed.
During Audit Engagement This knowledge includes the characteristics of

fraud, the techniques used to commit fraud, and
the various fraud schemes and scenarios associ-
To the degree that fraud may be present in activities ated with the activities reviewed.
covered in the normal course of audit work, the Standards
state that internal auditors have the following responsibili- • Be alert to opportunities that could allow fraud,
ties with respect to fraud detection: such as control deficiencies. If significant control
deficiencies are detected, additional tests con-
• Due Professional Care (Standard 1220). ducted by internal auditors could be used to iden-
• Risk Management (Standard 2120). tify whether fraud has occurred.
• Engagement Objectives (Standard 2210).
• Evaluate whether management is actively retaining
However, most internal auditors are not expected to have responsibility for oversight of the fraud risk man-
knowledge equivalent to that of a person whose primary agement program, that timely and sufficient cor-
responsibility is detecting and investigating fraud. Also, audit rective measures have been taken with respect to
procedures alone, even when carried out with due profes- any noted control deficiencies or weaknesses, and
sional care, do not guarantee that fraud will be detected. that the plan for monitoring the program continues
to be adequate for the program’s ongoing success.
A well-designed internal control system should help pre-
vent or detect material fraud. Tests conducted by internal • Evaluate the indicators of fraud and decide whether
auditors improve the likelihood that important fraud indi- any further action is necessary or whether an inves-
cators will be detected and considered for further testing. tigation should be recommended.
A. Conducting Audit Engagements • Recommend investigation when appropriate.
In conducting audit engagements, the internal auditor Appendix B includes some questions internal auditing
should: may routinely consider in its evaluation of an ongoing
fraud risk management program.
• Consider fraud risks in the assessment of internal
control design and determination of audit steps to B. Internal Auditor Skepticism
perform. Internal auditors are not expected to detect
fraud, but internal auditors are expected to obtain Professional skepticism is an attitude that includes a ques-
reasonable assurance that business objectives for tioning mind and a critical assessment of audit evidence.
the process under review are being achieved and An objective, skeptical internal auditor neither assumes
material control deficiencies — whether through that management or employees are dishonest nor assume
simple error or intentional effort — are detected. unquestioned honesty.
The consideration of fraud risks is documented in
the workpapers, as well as linkage of fraud risks to In all audit work, the exercise of professional skepti-
specific audit work. cism is paramount. Inadequate professional skepticism
is frequently cited as a significant reason why material • Fraud or conflicts of interest and results of moni-
fraud has not been detected. Internal auditors play a toring programs concerning compliance with law,
critical role in the success or failure of fraud risk man- code of conduct, and/or ethics.
agement. With their intimate knowledge of the workings
of an entity, internal auditors are in a unique position to • The internal audit activity’s organizational struc-
identify many of the indicators of fraud. When internal ture as it pertains to addressing fraud.
auditors act with skepticism and they focus on the effec-
tiveness of internal controls, the likelihood that they will • Coordination of fraud audit activity with external
notice the common characteristics of fraud is increased, auditors.
and they might uncover possible fraudulent activity if and
where it exists. • Overall assessment of the organization’s control
environment.
To allow internal auditors to exercise skepticism, IIA
Standard 1111: Direct Interaction with the Board states • Productivity and budgetary measures of internal
that the CAE must communicate and interact directly audit's fraud activities.
with the board. In addition, Standard 1120: Individual
Objectivity states that internal auditors must have an • Benchmarking comparisons of internal audit’s
impartial and unbiased attitude, which is consistent with fraud activities with other organizations.
exercising skepticism. The audit committee’s oversight
and support of the internal audit activity helps the inter- • Role of internal audit in fraud investigations.
nal auditor maintain independence and objectivity as well
as keep an attitude of skepticism. The CAE may have a different opinion from senior man-
agement and the board about the right time to inform
C. Communicating With the Board them of serious issues including fraud. A solution for
addressing this timing concern is for the CAE to have dis-
The relationship between the CAE and the board of cussions with senior management and the board before
directors includes both reporting and oversight functions. issues arise concerning what they need to know, when
Internal auditors, through the unique role they play, are they need to know it, and how the communication will
well positioned to elevate the importance of fraud preven- be made. Conducting this discussion is evidence that the
tion and detection programs with management and the CAE is complying with IIA Standard 2060: Reporting to
board. Staying aware of what is happening in their specific Senior Management and the Board. The following illus-
industry and organization will enhance internal auditors’ tration depicts an example of a document that could be
ability to address fraud risks with the board. prepared to clarify the nature and timing of a CAE’s com-
munication with the board regarding fraud matters.
In discussions with the board, the CAE may include:
• All fraud audits performed.
• The fraud risk assessment process.

When Events Should be

Sample Audit Committee Event Matrix Reported to the
Audit Committee
Annual Summary
At Next Meeting
Annual Report
Immediately
Event Magnitude
1 Defalcations, fraud, theft:

Not involving senior management
Major control breakdown More than $10,000 X
Involving collusion More than $10,000 X
Minor Under $10,000 X
Involving senior management All X
2 Denial of IA access to people or data All X
3 Violation of Ethics Policy

Senior management All X
Middle management All X
4 Discussion of replacement of the CAE All activity in advance X
A fraud risk assessment generally includes five key steps:

Fraud Risk Assessment
1. Identify relevant fraud risk factors.
All organizations are exposed to fraud risk in any process
where human involvement is required. An organiza- 2. Identify potential fraud schemes and prioritize them
tion’s exposure to fraud is a function of the fraud risks based on risk.
inherent in the business, the extent to which effective
internal controls are present either to prevent or detect 3. Map existing controls to potential fraud schemes and
fraud, and the honesty and integrity of those involved in identify gaps.
the process.
4. Test operating effectiveness of fraud prevention and
Fraud risk is the probability that fraud will occur and detection controls.
the potential consequences to the organization when it
occurs. The probability of a fraudulent activity is based, 5. Document and report the fraud risk assessment.
typically, on how easy it is to commit fraud, the moti-
vational factors leading to fraud, and the organization’s The scope of the fraud risk assessment may vary widely
fraud history. depending on the organization’s size, complexity, or indus-
try. For example, an online business that has few employ-
A fraud risk assessment is often a critical component ees with limited inventory and little cash on hand would
of an organization’s larger enterprise risk management likely have different fraud risks than an organization with
program. The fraud risk assessment is a tool that assists numerous physical locations and a large employee base
management and internal auditors in systematically with access to inventory and/or cash. One organization
identifying where and how fraud may occur and who may complete an enterprisewide assessment and include
may be in a position to commit fraud. A review of poten- all business areas in the assessment, while another organi-
tial exposures represents an essential step in alleviating zation may limit its focus to the most important business
the board’s and senior management’s concerns about risk area. An organization with several subsidiaries may
fraud risks and their ability to meet organizational goals complete a separate assessment for each subsidiary or a
while promoting public confidence in the health of an combined assessment.
organization. A fraud risk assessment concentrates on
fraud schemes and scenarios to determine the presence A. Identifying Relevant Fraud Risk Factors
of internal controls and whether or not the controls can
be circumvented. The first step is to gather information about the organiza-
tion’s business activities to gain an understanding of fraud
An important role of management is to provide oversight risks, including external business relationship partners.
for the successful completion of a fraud risk assessment This process includes review of documentation of previ-
so that management has a better understanding of fraud ous frauds and suspected frauds committed against or on
risks and the controls in place to mitigate those risks. behalf of the organization, evaluation of related frauds at
Organizations will need to reach their own conclusions similar organizations, and review of the organization’s per-
with respect to the cost of controlling a risk compared to formance measures over the past few years compared with
the benefits of mitigating or eliminating that risk. competitors. For example, inconsistent patterns between
non-financial measures and financial measures, excessive

use of licensed software, and use of other’s intellectual • Monetary impact.

property may indicate possible fraud. • Impact to the organization’s reputation.
• Loss of productivity.
B. Identifying Potential Fraud Schemes and • Potential criminal/civil actions including potential
Prioritizing Them Based on Risk regulatory noncompliance.
• Integrity and security over data.
Fraud, by definition, entails intentional misconduct designed • Loss of assets.
to evade detection. As such, a fraud risk assessment team • Location and size of operations/units.
needs to engage in strategic reasoning to anticipate both • Company culture.
the fraud scheme and the individuals within and outside • Management/employee turnover.
the organization who could be in a position to perpetrate • Liquidity of assets.
each scheme. A fraud risk assessment team is typically • Volume and/or size of transactions.
composed of individuals from the internal audit activity, • Outsourcing.
finance, legal, IT, security, and potentially other functions
depending on the nature of the organization. C. Mapping Existing Controls to Potential
Fraud Schemes and Identifying Gaps
The fraud risk assessment team identifies potential fraud-
ulent schemes using brainstorming, management inter- The fraud risk assessment team identifies preventive and
views, analytical procedures, and review of prior frauds. detective controls in place to address each fraud risk and
During this process, the fraud risk assessment team to assess the likelihood and significance of each poten-
reviews the organization’s activities, schemes relevant to tial fraud. Entity-level anti-fraud controls such as the
the industry, geography, and programs, always consider- existence of a whistleblower hotline and whistleblower
ing the basic characteristics of fraud (pressure/incentive, protection policy, board oversight, results of continuous
opportunity, and rationalization), asking: monitoring, code of conduct, and the tone of manage-
ment’s communications regarding their tolerance for
• Where are the opportunities for fraud? fraud risk are important elements in this exercise. The
risk of management’s override of controls needs to be
• What is the level of pressure management is under explicitly considered and the cost/benefit for controlling
that would lead it to override internal controls? that risk should be evaluated.
• Are there any consequences if management fails D. Testing Operating Effectiveness of Fraud
to reach goals? Prevention and Detection Controls
Specific fraud areas should be identified without con- Internal auditing typically plays an important role in
sideration of existing or effectiveness of internal controls assessing the operating effectiveness of internal controls.
(which is done later). The evaluation considers whether Internal auditors consider not only the existence of the
the fraud could be committed by an individual alone or internal control, but also the effectiveness of the inter-
requires collusion among employees or external persons. nal control through periodic testing of the control. For
example, an organization may implement a security policy
The following factors are considered when prioritizing over network passwords, which requires passwords to
fraud risks: be changed every 30 days; however, the network system
access controls do not block user access if the password is Refer to Appendix C for an example of a fraud risk assess-
not changed as required. In this case, the internal control ment. This template can be adapted for an enterprisewide
is present, but is not operationally effective. fraud risk assessment by including other major business
areas/units within the framework.
E. Documenting and Reporting on the Fraud
Risk Assessment
Organizations need to document the process that iden-

tifies and evaluates fraud risk. Key elements that would
likely be documented in a fraud risk assessment for each
significant business area include:
• The types of fraud that have some chance of

occurring.
• The inherent risk of fraud considering the avail-

ability of liquid and saleable assets, organiza-
tional morale and employee turnover, the history
of fraud and losses, and other specific business
area indicators.
• The adequacy of existing anti-fraud programs,

monitoring, and preventative controls.
• The potential gaps in the organization’s fraud con-

trols, including segregation of duties.
• The likelihood of a significant fraud occurring.
• The business impact/significance of a fraud.
According to IIA Standard 2060: Reporting to Senior

Management and the Board, the CAE must report peri-
odically to senior management and to the board signifi-
cant risk exposures and control issues, including fraud
risks. Management and the CAE update the board
periodically on the status and results of the fraud risk
assessment. These updates report on the effectiveness
of existing anti-fraud programs, as well as remediation
efforts pursued by management to address gaps identi-
fied during the assessment.

design its controls to detect, rather than prevent fraud

Fraud Prevention and Detection risks. If the cost of designing, implementing, and monitor-
ing internal controls against fraud exceeds the estimated
impact of the risk, it may not be cost-effective to imple-
Fraud can occur at various levels in an organization; ment the internal controls.
therefore, it is important to establish appropriate preven-
tive and detective techniques. Although fraud prevention To understand and assess the opportunity for fraud to
and detection are related concepts, they are not the same. occur in an organization, one needs to gain an understand-
Fraud prevention entails implementing policies and pro- ing of the corporate culture. Corporate culture provides
cedures, employee training, and management communi- a holistic and comprehensive view of the overall manage-
cation to educate employees about fraudulent activities. ment philosophy and control environment. A strong ethi-
On the other hand, fraud detection entails activities and cal corporate culture alone will not protect an organization
programs designed to identify fraud or misconduct that is from fraud. While cultivating an ethical culture is a criti-
occurring or has occurred. The interrelationship between cal first step, reducing fraud risk also requires training and
fraud prevention, detection, and investigation is shown in education, strong policies and procedures to implement
the chart below. and monitor internal controls, procedures to detect fraud
risk indicators on a timely basis to investigate fraud, and
Organizations can never eliminate the risk of fraud. There prosecution when appropriate.
are always people who are motivated to commit fraud, and
an opportunity can arise for someone in any organization A. Fraud Prevention
to override internal controls or to collude with others to
circumvent internal controls. Although every organiza- Fraud prevention involves those actions taken to discour-
tion is susceptible to fraud, it is not cost-effective to try age the commission of fraud and limit fraud exposure
to eliminate all fraud risk. An organization may choose to when it occurs. Instilling a strong ethical culture and
Lessons learned influence future

use of preventive controls
Preventive Detection and Investigations

controls monitoring and prosecutions
Potential fraud, Potential fraud, Potential fraud

waste, and abuse waste, and abuse
setting the correct tone at the top are essential elements • Performing fraud risk assessments on a regular
in preventing fraud. A strong principal mechanism for basis.
preventing fraud is effective and efficient internal con-
trols, including controls related to screening customers, Control activities — Policies and procedures for busi-
vendors, and external business relationship partners. An ness processes, including appropriate authority limits and
organization with effective internal controls deters fraud- segregation of incompatible duties.
sters from the temptation to commit fraud. Management
is primarily responsible for establishing and maintaining Information and communication — Promoting the
internal controls in an organization. The Committee of importance of the fraud risk management program and
Sponsoring Organizations of the Treadway Commission the organization’s position on fraud risk both internally and
(COSO) presented a framework for assessing and improv- externally through corporate communications programs.
ing internal control systems to fight fraud. COSO iden-
tified five components in its Internal Control–Integrated • Designing and delivering fraud awareness training.
Framework: control environment, risk assessment, control
activities, information and communication, and monitor- • An affirmation or certification process to confirm
ing that may serve as the premise for the design of controls employees have read and understand corporate
to fight fraud. The elements are deeply intertwined and policies and that the employees are in compliance
overlapping in their nature and provide a natural interac- with the policies.
tive process to promote the type of environment in which
fraud will not be tolerated at any level. Monitoring — Providing periodic evaluation of anti-
fraud controls.
Control environment — Elements of a strong control
environment help prevent fraud including the following: • Using independent evaluations of the fraud risk
management program by internal auditing or
• A code of conduct, ethics policy, or fraud policy to other groups.
set the appropriate tone at the top.
• Implementing technology to aid in continuous
• Ethics and whistleblower hotline programs to monitoring and detection activities.
report concerns.
B. Fraud Training
• Hiring and promotion guidelines and practices.
Fraud training is usually a key factor in the deterrence
• Oversight by the audit committee, board, or other of fraud. Training can cover the organization’s expecta-
oversight body. tions for employees’ conduct, the procedures and stan-
dards necessary to implement internal controls, and
Risk assessment — Establishing a fraud risk assess- employee roles and responsibilities to report miscon-
ment process that considers fraud risk factors and fraud duct. Employees need to understand the ethical behavior
schemes. expected of them to act accordingly within the organiza-
tion. New employee orientations can present the orga-
• Involving appropriate personnel in the fraud risk nization’s mission, values and code of conduct, types
assessment process. of fraud, responsibility to report violations of ethical

behavior and impropriety, and details of the hotline or Organizations often rely on employees to report suspicious
other ways to report potential fraud. activity through an anonymous whistleblower hotline. Using
employee feedback capitalizes on the fact that many employ-
Employee fraud training needs to be tailored to the orga- ees within the organization want to share what they know
nization and the employee’s position within the organiza- about organizational issues. An effective way for an organi-
tion. Although generic fraud training can be helpful, it is zation to learn about existing fraud is to provide employees,
more effective to identify the top fraud risk areas in the suppliers, and other stakeholders with a variety of methods
organization and develop training so that employees in for reporting their concerns about illegal or unethical behav-
key positions can better understand their role in the orga- ior. Ways to collect this information include:
nization’s fraud detection program. Fraudsters may even
attend the training, which can benefit the organization, • Code of conduct confirmation — When employ-
as they may be deterred by seeing the organization’s fraud ees sign an annual code of conduct outlin-
risk management process in action. ing their responsibilities in the prevention and
detection of fraud, they can be asked to report
Periodic training throughout an employee’s career rein- any known violations.
forces fraud awareness and the cost of fraud to the orga-
nization. Regardless of the method used to produce and • Whistleblower hotline — This can take the form of
disseminate the training material, one key goal is to test a telephone hotline or Web-based reporting system
the employee’s comprehension of the fraud training. This where the whistleblower can remain anonymous.
can be done through online surveys that not only con-
firm attendance, but also offer quick exams to determine • Exit interviews — Conducting exit interviews of
whether employees have gained the necessary knowledge terminated employees or those who have resigned
from the training. can help identify fraud schemes. They may also
help determine whether there are issues regarding
C. Fraud Detection management’s integrity, and may provide informa-
tion regarding conditions conducive to fraud.
Detective controls are designed to provide warnings or
evidence that fraud is occurring or has occurred. Effective • Proactive employee survey — Routine employee
internal controls are one of the strongest deterrents to surveys can be conducted to solicit employee
fraudulent behavior and fraudulent actions. Simultaneous knowledge of fraud and unethical behavior
use of preventive and detective internal controls enhances within the organization. A proactive survey could
any fraud risk management program’s effectiveness. elicit anonymous information from employees,
Although detective internal controls may provide evi- which would aid organizations in catching fraud
dence that fraud exists, detective internal controls are not sooner than if they wait for employees to volun-
intended to prevent fraud. teer such information.
Fraud detection methods need to be flexible, adaptable, All of these methods can use traditional telephone inter-
and continuously changing to meet the changes in the views, Web forms, e-mails, faxes, and face-to-face meetings.
risk environment. While preventive measures are appar-
ent and readily identifiable, detective controls may not be Other methods for fraud detection include surprise audits
as apparent (i.e., they operate in the background). in high fraud risk areas by either internal auditing, external
auditing, or management; continuous monitoring of criti-

cal data and related trends to identify unusual situations
or variances; and routine and/or ad hoc matching of public
data and/or proprietary data against relevant transactions,
vendor lists, employee rosters, and other data.

A. Investigation Process
Fraud Investigation
Management is responsible for developing controls over
Organizations investigate for possible fraud when there the investigation process, including developing policies
is a concern or suspicion of wrongdoing within the orga- and procedures for effective investigations, preserving
nization. Suspicions can result from a formal complaint evidence, handling the results of investigations, report-
process, informal complaint process such as tips, or ing, and communications. Such standards are often docu-
an audit, including an audit designed to test for fraud. mented in a fraud policy; internal auditors may assist in
Investigating a fraud is not the same as auditing for fraud, the evaluation of the policy. Such policies and procedures
which is an audit designed to proactively detect indica- need to consider the rights of individuals, the qualifica-
tions of fraud in those processes or transactions where tion of those authorized to conduct investigations, and
analysis indicates the risk of fraud to be significant. the relevant laws where the frauds occurred. The policies
should also consider the extent to which management will
A fraud investigation consists of gathering sufficient discipline employees, suppliers, or customers, including
information about specific details and performing those taking legal measures to recover losses and civil or crimi-
procedures necessary to determine whether fraud has nal prosecution. It is important for management to clearly
occurred, the loss or exposures associated with the fraud, define the authority and responsibilities of those involved
who was involved, and how it happened. An important in the investigation, especially the relationship between
outcome of investigations is that innocent persons are the investigator and legal counsel. It is also important
cleared of suspicion. for management to design and comply with procedures
that minimize internal communications about an ongoing
Investigations attempt to discover the full nature and investigation, especially in the initial phases.
extent of the fraudulent activity, not just the event that
may have initiated the investigation. Investigation work The policy needs to specify the investigator’s role in
includes preparing, documenting, and preserving evidence determining whether a fraud has been committed. Either
sufficient for potential legal proceedings. the investigator or management will decide if fraud has
occurred and management will decide whether the organi-
Internal auditors, lawyers, investigators, security per- zation will notify outside authorities. A judgment that fraud
sonnel, and other specialists from inside or outside the has occurred may in some jurisdictions be made only by
organization usually conduct or participate in fraud law enforcement or judicial authorities. The investigation
investigations. may simply result in a conclusion that organization policy
was violated or that fraud is likely to have occurred.
Investigations and the related resolution activities need
to be carefully managed in accordance with laws. Local B. Internal Auditing’s Role in Investigations
laws may direct how and where investigations are con-
ducted, disciplinary and recovery practices, and investi- The role of the internal audit activity in investigations needs
gative communications. It is in the best interest of the to be defined in the internal audit charter, as well as in the
company, both professionally and legally, to work effec- fraud policies and procedures. For example, internal audit-
tively with the organization’s legal counsel and to become ing may have the primary responsibility for fraud investi-
familiar with the relevant laws in the country the fraud gations, may act as a resource for investigations, or may
investigation occurs. refrain from involvement in investigations. Internal auditing
may refrain from involvement because it is responsible for The plan should consider the following investigative
assessing the effectiveness of investigations or it lacks the activities:
appropriate resources to be involved in investigations. Any
of these roles can be acceptable as long as the impact of • Gathering evidence through surveillance, inter-
these activities on internal auditing’s independence is rec- views, or written statements.
ognized and handled appropriately.
• Documenting and preserving evidence, consider-
To maintain proficiency, fraud investigation teams have a ing legal rules of evidence, and the business uses
responsibility to obtain sufficient knowledge of fraudulent of the evidence.
schemes, investigation techniques, and applicable laws.
There are national and international programs that pro- • Determining the extent of the fraud.
vide training and certification for investigators and foren-
sic specialists. • Determining the techniques used to perpetrate
the fraud.
If the internal audit activity is responsible for the investiga-
tion, it may conduct an investigation using in-house staff, • Evaluating the cause of the fraud.
outsourcing, or a combination of both. In some cases,
internal auditing may also use nonaudit employees of the • Identifying the perpetrators.
organization to assist. It is often important to assemble
the investigation team without delay. If the organization is At any point during this process, the investigator may con-
likely to need external experts, the CAE may pre-qualify clude that the complaint or suspicion was unfounded and
the service provider[s] so external resources are quickly then the investigator follows the organization’s process to
available when needed. close the case.
In organizations where primary responsibility for the The specific procedures employed in each investigation
investigation function is not assigned to the internal audit will differ based on the specific situation and the goals of
activity, the internal audit activity may still be asked to the investigative team. The common investigative proce-
help gather information and make recommendations for dures include:
internal control improvements.
• Obtaining evidence: The collection and prepa-
C. Conducting the Investigation ration of evidence is critical to understanding
the fraud or misconduct, and it is needed to sup-
An investigation plan is developed for each investigation, port the conclusions reached by the investigation
following the organization’s investigation procedures or team. The investigation team may use computer
protocols. The lead investigator determines the knowl- forensic procedures or computer-assisted data
edge, skills, and other competencies needed to carry analysis based on the nature of the allegations,
out the investigation effectively and assigns competent, the results of the procedures performed, and the
appropriate people to the team. This process includes goals of the investigation. All reports, documents,
obtaining assurance that there is no potential conflict of and evidence obtained should be recorded chron-
interest with those being investigated or with any of the ologically in an inventory or log. Some examples
employees in the organization. of evidence include:

|| Letters, memos, and correspondence, both Investigative activities need to be coordinated with man-
in hard copy or electronic form (such as agement, legal counsel, and other specialists, such as
e-mails or information stored on personal human resources and insurance risk management, as
computers). appropriate throughout the investigation.
|| Computer files, general ledger postings, or Investigators need to be knowledgeable and cognizant of
other financial or electronic records. the rights of persons within the scope of the investigation
and the reputation of the organization itself. The inves-
|| IT or system access records. tigator has responsibility to ensure that the investigation
process is handled in a consistent and prudent manner.
|| Security and time keeping logs, such as secu-
rity camera videos or access badge records. The level and extent of complicity in the fraud through-
out the organization needs to be assessed. This assess-
|| Internal phone records. ment can be critical to not destroying or tainting crucial
evidence, and to avoid obtaining misleading information
|| Customer or vendor information both in the from persons who may be involved.
public domain and maintained by the organiza-
tion, such as contracts, invoices, and payment The investigation needs to adequately secure evidence
information. collected, maintaining chain of custody procedures appro-
priate for the situation.
|| Public records such as business registra-
tions with government agencies or property D. Reporting Fraud Investigations
records.
Reporting fraud investigations consists of the various oral,
|| News articles, internal and external Web sites, written, interim, or final communications to senior man-
such as social networking sites. agement and/or the board regarding the status and results
of fraud investigations. Reports can be preliminary and
• Interviewing: The investigator will interview ongoing throughout the investigation.
individuals such as witnesses and facilitating
personnel. Typically, the accused individual is A written report or other formal communication may be
interviewed after most applicable evidence has issued at the conclusion of the investigation phase. It may
been obtained. Many investigators prefer to include the reason for beginning an investigation, time
approach the accused with sufficient evidence frames, observations, conclusions, resolution, and correc-
that will support the goal to secure a confes- tive action taken (or recommendations) to improve con-
sion. Generally the accused is interviewed by trols. Depending on how the investigation was resolved, the
two people: 1) an experienced investigator and report may need to be written in a manner that provides
2) another individual who takes notes during confidentiality for some of the people involved. In writing
the interview and later functions as a witness if the report, the investigator needs to consider the needs
needed. In addition, it is essential that all infor- of the board and management while complying with legal
mation obtained from the interview is rendered requirements and restrictions, and the organization’s poli-
correctly. cies and procedures.
Additional considerations concerning fraud reporting are: • Disciplining an employee in accordance with the
organization’s policies, employment legislation, or
• Submitting a draft of the proposed final com- employment contracts.
munications on fraud to legal counsel for review.
In cases where the organization is able to invoke • Requesting voluntary financial restitution from an
attorney-client privilege, and has chosen to do so, employee, customer, or supplier.
the report is addressed to legal counsel.
• Terminating contracts with suppliers.
• Notifying senior management and the board timely
when significant fraud or erosion of trust occurs. • Reporting the incident to law enforcement, regu-
latory bodies, or similar authorities; encouraging
• The results of a fraud investigation may indicate them to prosecute the fraudster; and cooperating
that fraud had a previously undiscovered adverse with their investigation and prosecution.
effect on the organization’s financial position
and its operational results for one or more years • Entering into civil litigation or similar legal pro-
for which financial statements have already been cesses to recover the amount taken.
issued. Senior management and the board need to
be informed of such a discovery so they can decide • Filing an insurance claim.
on the appropriate reporting, usually after consult-
ing with the external auditors. • Filing a complaint with the perpetrator’s profes-
sional association.
If internal auditing conducts the investigation, IIA Standard
2400: Communicating Results provides information appli- • Recommending control enhancements.
cable to necessary engagement communications.
F. Communications of Fraud Incidents
E. Resolution of Fraud Incidents
In addition to fraud reporting mentioned above, the two
Resolution consists of determining what actions will types of communications that may result from an investi-
be taken by the organization once a fraud scheme and gation are public communications and planned internal
perpetrator[s] have been fully investigated, and evidence communications.
has been reviewed. Management and the board are respon-
sible for resolving fraud incidents — not the internal audit Management or the board determines whether to inform
activity or the investigator. entities outside the organization after consultation with indi-
viduals such as legal counsel, human resources personnel,
Resolution may include all or some of the following: and the CAE. The organization may have a responsibility to
notify government agencies of certain types of fraudulent
• Providing closure to persons who were initially acts. These agencies include law enforcement, regulatory
under suspicion but were found to be innocent. agencies, or oversight bodies. Additionally, the organization
may be required to notify the organization’s insurers, bank-
• Providing closure to those who reported a concern. ers, and external auditors of instances of fraud. Any com-
ments made by management to the press, law enforcement,

or other external parties are best coordinated through legal • What controls were overridden?
counsel. Typically, only authorized spokespersons make • Why wasn’t the fraud detected earlier?
external announcements and comments. • What red flags were missed by management?
• What red flags did internal audit miss?
An important decision in this process is the decision to • How can future frauds be prevented or more
prosecute the wrongdoer. This decision is made by man- easily detected?
agement and the board, usually based on the input of legal • What controls need strengthening?
counsel. While internal auditors do not make these deci- • What internal audit plans and audit steps need to
sions, they may indicate to management and the board be enhanced?
that prosecutions discourage future fraud by reinforcing • What additional training is needed?
the repercussions of fraudulent behavior and thus serve
as a fraud deterrent. Both management and internal auditors may hold lessons
learned sessions. The dynamic feedback within these ses-
Internal communications are a strategic tool used by man- sions needs to stress the importance of acquiring up-to-
agement to reinforce its position relating to integrity, to date information on fraudsters and fraud schemes that
demonstrate that it takes appropriate action (including can help internal auditors and the anti-fraud community
prosecution if appropriate) when organization policy is engage in best practices to prevent losses.
violated, and to show why internal controls are important.
Such communications may take the form of a newsletter ______________________________________________
article, a memo from management, or the situation may
be used as an example in the organization’s fraud train- Management’s fraud policies and procedures define who
ing program. These communications generally take place has authority and responsibility for each aspect of the pro-
after the case has been resolved internally, and they do not cess. The internal audit activity may be involved as advis-
specify the names of perpetrators or other specific inves- ers to the process, as long as the impact of these activities
tigation details that are not necessary for the message or on internal auditing’s independence is recognized and
that contravene laws. An investigation and its results may handled appropriately. In addition to advising manage-
cause significant stress or morale issues that may dis- ment, internal auditors may become involved in investiga-
rupt the organization, especially when the fraud becomes tions by:
public. Management may plan employee sessions and/or
team building strategies to rebuild trust and camaraderie • Monitoring the investigation process to help
among employees. the organization follow relevant policies, proce-
dures, and applicable laws and statutes (where
G. Analysis of Lessons Learned internal auditing was not responsible for con-
ducting the investigation).
After the fraud has been investigated and communicated,
it is important for management and the internal audit • Locating and/or securing the misappropriated or
activity to step back and consider the lessons learned. related assets.
For example:
• Supporting the organization’s legal proceedings,
• How did the fraud occur? insurance claims, or other recovery actions.
• What controls failed?
• Evaluating and monitoring the organization’s inter-

nal and external post-investigation reporting and
communication plans and practices.
• Monitoring the implementation of recommended

control enhancement.
Internal auditors typically assess the facts of investigations

and advise management relating to remediation of control
weaknesses that lead to the fraud. Internal auditors may
design steps in audit programs or develop “auditing for
fraud” programs to help disclose the existence of similar
frauds in the future.

Forming an Opinion on Internal

Controls Related to Fraud
The internal auditor may be asked by management or the

board to issue an opinion on the organization’s system of
internal controls related to fraud. See the following publi-
cations for more information on this topic:
• The IIA’s Practice Advisories in the 2410 series.
• The IIA’s Practice Guide, Practical Considerations

Regarding Internal Auditing Expressing an Opinion
on Internal Controls.
Internal Auditor Magazine, “4 Steps to a Successful

Appendix A – Reference Fraud Risk Assessment,” Paul Zikmund, February 2008,
Material www.internalauditoronline.org.
Internal Auditor Magazine, “The Risk Matrix Revisited,”

The Institute of Internal Auditors (IIA), Practice Larry Hubbard, April 2009, www.internalauditoronline.
Advisory 1210-1: Proficiency, www.theiia.org. org.
The IIA, Practice Advisory 1210.A1-1: Obtaining Internal Auditor Magazine, Focusing on Fraud issue,
External Service Providers to Support or Complement October 2009, www.internalauditoronline.org.
the Internal Audit Activity, www.theiia.org.
Public Accounting
The IIA, Practice Advisory 1220-1: Due Professional
Care, www.theiia.org. American Institute of Certified Public Accountants
(AICPA), “The Auditor’s Responsibility for Fraud and
The IIA, Practice Advisory 2030-1: Resource the Importance of Professional Skepticism,” 2008,
Management, www.theiia.org. www.aicpa.org.
The IIA, Practice Advisory 2060-1: Reporting to Senior Deloitte, Fraud & the Regulatory Environment, Stefan
Management and the Board, www.theiia.org. DuChene, March 2006, https://www.tmaccalgary.
com/presentation/Stefan%20DuChene.ppt
The IIA, Joining the Fight Against Corruption, 2009,
www.theiia.org. KPMG LLP, Profile of a Fraudster Survey 2007, www.
us.kpmg.com.
The IIA, The Role of Internal Auditing in Preventing
and Detecting Misuse, Fraud, and Bribery, Patty Miller, KPMG LLP, Fraud Risk Management: Developing
February 2007. a Strategy for Prevention, Detection, and Response,
2006, www.us.kpmg.com.
The IIA, SOX Section 404: A Guide for Management by
Internal Controls Practitioners, second edition, The IIA, PricewaterhouseCoopers (PwC), Internal Audit 2012:
2008, www.theiia.org. A Study Examining the Future of Internal Auditing and
the Potential Decline of a Controls-centric Approach,
The IIA Research Foundation, Using Non-Financial 2007, www.pwc.com.
Measures to Assess Fraud Risk, Brazel, Jones, and
Zimbelman, August 2008, www.theiia.org. Association Certified Fraud Examiners
(ACFE)
Internal Auditor Magazine, “Fraud Risk Assessment,”
Jonny Frank, April 2004, www.internalauditoronline.org. The Association of Certified Fraud Examiners (ACFE)/
American Institute of Certified Public Accountants
(AICPA), Fraud Tools, www.acfe.com.

ACFE, 2008 ACFE Report to the Nation on

Occupational Fraud & Abuse, 2008, www.acfe.com.
ACFE, “How Fraud Hurts You and Your Government

Organization,” http://www.acfe.com/resources/fraud-
tools.asp?copy=video.
ACFE “Sample Fraud Policy,” http://www.acfe.com/

documents/sample_fraud_policy.pdf.
Joint Papers
The IIA, ACFE, and AICPA, Managing the Business

Risk of Fraud: A Practical Guide, 2008, www.theiia.org.
The IIA, ACFE, Information System Accountability

and Control Auditors, Financial Executives Institute,
Institute of Management Accountants, and Society
of Human Resource Professionals, Management
Anti-Fraud Programs and Controls: Guidance to Help
Prevent, Deter, and Detect Fraud, 2002.
Miscellaneous
Howard Silverstone and Howard Davia, Fraud 101:

Techniques and Strategies for Prevention (Second Edition),
2005.
11. Are the results of fraud risk assessments considered

Appendix B – Questions To in the audit planning process?
Consider 12. Are periodic fraud awareness and training programs
provided to all employees?
Conducting timely and appropriate discussions about
fraud with all levels of the organization, including the 13. Are automated tools available to those responsible for
audit committee, demonstrates the proactive role the preventing, detecting, and investigating fraud?
internal audit activity is taking in this area. Some of
questions that internal auditors may ask about fraud on 14. Has management identified the types of potential
a regular basis include: fraud risks in its areas of responsibility?
1. Does the organization have a fraud governance struc- 15. Do management and the CAE know where to obtain
ture in place that assigns responsibilities for fraud guidance on fraud from professional organizations?
investigations?
16. Do management and internal auditors know their pro-
2. Does the organization have a fraud policy in place? fessional responsibilities relating to fraud?
3. Has the organization identified laws and regulations 17. Has management incorporated appropriate controls
relating to fraud in jurisdictions where it does business? to prevent, detect, and investigate fraud?
4. Does the organization’s fraud management program 18. Does management have the appropriate skill sets in
include coordination with internal auditing? place to perform fraud investigations?
5. Does the organization have a fraud hotline? 19. Do management and the internal audit activity peri-
odically assess the effectiveness and efficiency of fraud
6. Does the audit charter describe internal auditing’s controls?
roles and responsibilities relating to fraud?
20. Are fraud investigation workpapers and supporting
7. Has responsibility for fraud detection, prevention, documents appropriately secured and retained?
response, and awareness been assigned within the
organization? Note: This list is not a checklist. It does not include all
questions that may be needed to assess fraud risks in a
8. Do management and the CAE update the audit com- given organization, nor contain necessary follow-up ques-
mittee on fraud? tions that depend on the answers to previous questions.
Accordingly, auditors may use this as a start to create their
9. Does management promote fraud awareness and own tools and to brainstorm fraud risks.
training within the organization?
10. Does management lead fraud risk assessments and

include internal auditing in the assessment process?

Appendix C – Fraud Risk Assessment Template

This table serves as an illustrative template of a fraud risk assessment. Customization or adjustment is needed to adapt it
for your organization’s fraud risk assessment.
Owner Fraud Risks Controls Monitoring Likelihood Impact
Construction Collusion between • Qualify contractors prior to bidding • Construction M M

Department contractor and (financial solvency, reputation). Department
subcontractor. • Formal competitive bidding proce- • Procurement
• Bid rigging. dures are used when selecting a • Legal
general contractor (GC). Example:
• Bribes/kick-
Sealed Bids. • Internal Auditing
backs.
• Subcontractor selection: For all
work exceeding $ limit, competitive
bidding is required by GC.
• Bid Confirmation Letters are sent to
subcontractors to ensure integrity
of bid process.
• Perform background check that
includes searching for past fraud
or ethical violations. Also, have GC
sign Ethics Statement.
• Display fraud hotline number
onsite.
• Periodic internal audits are com-
pleted of selected projects to
determine contract compliance and
search for irregularities.
Construction Design & build • Execute construction contract with • Construction M H

Department defects (inferior detailed scope of work (specifica- Department
material used & tions). • Legal
construction not • Periodic site visitations by archi-
performed per • Internal Auditing
tects, local building inspectors,
specifications).
engineers, commission agents, and
• Reputation risk owner’s construction representa-
(injury or fatality tives are made to ensure job is on
at site). schedule and built per specifica-
tions and code.
onsite.

Construction Contractor over- • Management reviews & approves • Construction M M

Department billing: invoices. Department
• Price. • Cost tracking is performed to moni- • Capital Appropriation
tor each project’s expenditures and Committee
• Quantity.
determine reasons for significant • Legal
• Duplicate variances from capital budget.
charges. • Estimator
• Research cost overruns thoroughly
• Fictitious and obtain approval before adjust- • Controllers
billings. ing contract price. • Internal Auditing
• Purchase dis- • Any changes to scope of work
counts not cred- include a written change estimate
ited. with management review and
• Related-party approval before work begins.
transactions. • Owner’s construction estimators
review cost increases or credits for
accuracy and competitiveness.
• Contract states related party
transaction or affiliates must be
disclosed and approved by owner.
Credit reports are obtained or
Internet searches randomly
performed.
onsite.
Construction Failure to perform. • Signed & notarized Release of • Construction M L

Department Contractor Lien is required before Department
releasing funds to contractor. • Controllers
• Procure Performance Bond in case • Internal Auditing
contractor does not fulfill their
contract obligations.
• A portion of the contractor’s pay-
ment due (retainage) is not paid to
contractor until 100 percent of work
is completed and final contractor
lien releases received.
onsite.
Construction Theft or diversion • Owner assigns a project manager • Construction H L

Department of materials/equip- onsite to monitor job. Department
ment from job site. • The owner’s onsite representative • Internal Auditing
oversees procedures for controlling
equipment and onsite materials.
• Hire onsite security guards.
onsite.

Authors
• Gregory S. Dubis, CIA, CCSA, CISA, CFE
• Abraham D. Akresh CPA, CGFM
• Princy Jain: CIA, CCSA, CFE and CA (India)
• Lynn Morley, CIA, CGA
• Theresa M. Phipps, CPA
• Richard A. Schmidt, CPA, CIA, CFE
• Douglas J. Anderson, CIA, CPA
• Steve Hunt, CIA, CISA, CGEIT, CBM
• Ken Askelson, CIA, CPA, CITP
• Rich Lanza, CPA, CFE, PMP
• Peter Millar
• Marilyn Prosch, Ph.D.
• Donald E. Sparks, CIA, CISA, ARM
About the Institute For other authoritative guidance materials provided
by The IIA, please visit our Web site, www.theiia.
Established in 1941, The Institute of Internal org/guidance.
Auditors (IIA) is an international professional
association with global headquarters in Altamonte Disclaimer
Springs, Fla., USA. The IIA is the internal audit
profession’s global voice, recognized authority, The IIA publishes this document for informational
acknowledged leader, chief advocate, and princi- and educational purposes. This guidance mate-
pal educator. rial is not intended to provide definitive answers
to specific individual circumstances and as such
About Practice Guides is only intended to be used as a guide. The IIA
recommends that you always seek independent
Practice Guides provide detailed guidance for expert advice relating directly to any specific situa-
conducting internal audit activities. They include tion. The IIA accepts no responsibility for anyone
detailed process and procedures, such as tools and placing sole reliance on this guidance.
technique, programs, and step-by-step approaches,
as well as examples of deliverables. Practice Guides Copyright
are part of the IIA’s International Professional
Practices Framework. As part of the Strongly The copyright of this position paper is held by The
Recommended category of guidance, compliance IIA. For permission to reproduce, please contact
is not mandatory, but it is strongly recommended The IIA at guidance@theiia.org.
and the guidance is endorsed by The IIA through
formal review and approval process.

247 Maitland Ave. F: +1-407-937-1101
MeasurINg
INterNal audIt
eFFeCtIVeNess
aNd eFFICIeNCY
deCeMber 2010
Measuring Internal audit
effectiveness and efficiency
Table of Contents
Executive Summary ........................................................................................1
Introduction ...................................................................................................1
Defining Internal Audit Effectiveness and Efficiency ...................................... 2
Internal and External Stakeholders ................................................................ 3
Internal Audit Performance Metrics/Measures of

Effectiveness and Efficiency .......................................................................... 4
• Establishing the Performance Measurement Process ......................... 4
• Categories of Performance Information for Internal Auditing.............. 5
• Characteristics of Performance Measures:
Quantitative vs. Qualitative ................................................................ 6
• Specifi c Measures .............................................................................. 6
Monitor and Reporting Results ....................................................................... 7
Appendix A: Reference Material ..................................................................... 8
Appendix B: Questions that Should be Answered to Adequately Gauge

and Provide to Varied Stakeholders Reasonable Assurance of Internal
Audit Quality .................................................................................................. 9
Appendix C: Examples of Internal Audit Effectiveness

and Efficiency Metrics.................................................................................. 10
Appendix D: Example of Reporting Internal Audit Effectiveness

and Effi ciency Dashboard............................................................................. 13
Appendix E: Example of Customer Survey Sent After Internal Audit

is Completed ................................................................................................ 14
Authors / Reviewers and Contributors .......................................................... 16
executive summary • Level of contribution to the improvement of risk

management, control, and governance processes.
Internal auditing plays a critical role in the governance • Achievement of key goals and objectives.
and operation of an organization. When effectively imple- • Evaluation of progress against audit activity plan.
mented, operated, and managed, it is an important ele-
ment in helping an organization achieve its objectives. • Improvement in staff productivity.
Organizations that effectively use internal auditing are • Increase in efficiency of the audit process.
better able to identify business risks and process and sys- • Increase in number of action plans for process im-
tem inefficiencies, take appropriate corrective action, and provements.
ultimately support continuous improvement. To maintain
and enhance internal auditing’s credibility; however, its • Adequacy of engagement planning and supervision.
effectiveness and efficiency must be monitored. • Effectiveness in meeting stakeholders’ needs.
• Results of quality assurance assessments and inter-
Establishing performance measures is critical in deter- nal audit activity’s quality improvement programs.
mining if an audit activity is meeting its goals and objec-
tives, consistent with the highest quality practices and • Effectiveness in conducting the audit.
standards. This practice guide provides guidance to inter- • Clarity of communications with the audit client (of-
nal audit activities on measuring their effectiveness and ten referred to as “auditee”) and the board.
efficiency and the level of customer service they provide Once key effectiveness and efficiency measurements and
to stakeholders. targets have been identified, a monitoring process and
a method of reporting to stakeholders should be estab-
The first step is to identify key performance measures for lished (e.g., format, timing, and metrics). It is important
activities that stakeholders believe add value and improve for the internal audit activity to obtain feedback from
the organization’s operations. Examples of stakeholders key stakeholders on audit effectiveness and make adjust-
include the board, executive management, external gov- ments where needed.
ernment bodies and regulators, the external auditor, as
well as the internal audit activity itself.
Introduction
Sources to consider when identifying key performance ef- The IIA’s International Professional Practices Framework
fectiveness and efficiency measurements of the internal (IPPF) defines internal auditing as “an independent, ob-
audit activity include The IIA’s International Professional jective assurance and consulting activity designed to add
Practices Framework (IPPF), the internal audit charter value and improve an organization’s operations. It helps
and mission, applicable laws and regulations, and audit an organization accomplish its objectives by bringing a
strategies and plans. systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and gover-
Effectiveness and efficiency measurements can be quan- nance processes.”
titative and qualitative. In addition to compliance with
The IIA’s International Standards for the Professional The following International Standards for the Professional
Practice of Internal Auditing (Standards), audit activity Practice of Internal Auditing (Standards) are relevant is
performance measures may include: measuring the effectiveness and efficiency of the internal
audit activity.
1300 – Quality Assurance and Improvement Additional guidance on applying the Standards is found
Program in:
The chief audit executive must develop and maintain a • Practice Advisory 1300-1: Quality Assurance and
quality assurance and improvement program that covers Improvement Program.
all aspects of the internal audit activity. • Practice Advisory 1310-1: Requirements of the
Quality Assurance and Improvement Program.
Interpretation:
A quality assurance and improvement program is designed • Practice Advisory 1311-1: Internal Assessments.
to enable an evaluation of the internal audit activity’s con- • Practice Advisory 1312-1: External Assessments.
formance with the Definition of Internal Auditing and the
Standards and an evaluation of whether internal auditors This practice guide suggests using the analysis of per-
apply the Code of Ethics. The program also assesses the ef- formance measures as an element in conducting these
ficiency and effectiveness of the internal audit activity and internal/external reviews. It provides examples to be con-
identifies opportunities for improvement. sidered when measuring an internal audit department’s
effectiveness and efficiency for various internal and ex-
1310 – Requirements of the Quality Assurance ternal customers. The examples should not be considered
and Improvement Program the only factors to use. Also see Appendix A for additional
reference material on this topic.
The quality assurance and improvement program must
include both internal and external assessments.
defining Internal audit
1311 – Internal Assessments
Internal assessments must include:
• Ongoing monitoring of the performance of the inter- A general description of effectiveness and efficiency is “the
nal audit activity; and degree (including quality) to which established objec-
tives are achieved.” The same description can be used
• Periodic reviews performed through self-assessment for internal audit effectiveness and efficiency. Internal au-
or by other persons within the organization with suf- diting should establish performance metrics and related
ficient knowledge of internal audit practices. measurement criterion appropriate to its environment/
organization to measure the degree (including quality)
1312 – External Assessments of achievement of objectives for which the internal audit
External assessments must be conducted at least once activity is established. (See Appendix B for examples of
every five years by a qualified, independent reviewer or re- questions that could help determine internal audit qual-
view team from outside the organization. The chief audit ity.) Internal audit effectiveness and efficiency should be
executive must discuss with the board: monitored and assessed periodically as part of the inter-
• The need for more frequent external assessments; nal audit process.
and
• The qualifications and independence of the external
reviewer or review team, including any potential
conflict of interest.
Internal and external • Quality and sufficiency of communication from the

activity.
stakeholders • Current level of satisfaction, or lack thereof, with the
frequency and nature of engagements planned and
Typically, the key stakeholders for the internal audit
performed.
activity are divided into internal and external.
• Current level of satisfaction, or lack thereof, with the
Internal stakeholders may include: internal audit activity’s resources.
• Board of directors (or a committee such as the audit • Changing needs of business, related risks, and ability
committee). of internal auditing to provide assurance and consult-
ing services.
• Senior management.
• Operations and support management. Considerations in identifying relevant stakeholders and
• Internal auditors. their satisfaction include:
• The extent of regulation of the organization and
External stakeholders may include: internal audit activity.
• Regulatory bodies and standard setters. • Internal auditing’s relationship with key internal and
• External auditors. external stakeholders and establishment of function
expectations and objectives with these groups.
• Third-party vendors.
• Consideration of the authority and relevancy of the
• Third-party customers.
stakeholder to the internal audit activity.
The internal audit activity should identify all relevant • The activity’s internal feedback from key individuals,
stakeholders and their respective interests in the work groups, or standard setters that will help further opti-
of or support from the internal audit activity and should mize the activity’s quality, scope, and effectiveness.
solicit feedback from each of these stakeholders as appro- • The nature of the organization (e.g., public or pri-
priate. Specific feedback will provide insight into: vately held and levels of management/management
• The purpose and responsibility of internal auditing hierarchies).
and whether that is understood by different levels • Types of engagements performed by the internal
within the organization. audit activity.
• Adequacy of internal audit independence and • Specific stakeholders identified within the internal
objectivity. audit activity’s charter.
• Target deliverables and expectations of the internal • Applicable content of the board’s charter.
audit activity.
• Current or planned business priorities and correla-
tion of those with the activity’s scope, as appropriate.
• Current shortcomings, if any, of the internal audit
activity.
Internal audit Performance Metrics/Measures of

Internal auditing must effectively demonstrate its value as a key component of the organization’s governance framework.
The audit activity can lead by example with strong, relevant, and reliable performance measures.
Establishing the Performance Measurement Process

To create effective performance measures, the chief audit executive (CAE) needs to establish a process for:
• Identifying critical performance categories such as stakeholder satisfaction, internal audit processes, and innovation
and capabilities.
• Identifying performance category strategies and measurements. Strategies should be pursued in compliance with
IIA Standards, other applicable professional standards, and applicable laws and regulations and should ensure
stakeholder satisfaction. The use of performance measures can be an element of the internal audit activity’s internal
assessment process to comply with The IIA’s Standards.
• Routinely monitoring, analyzing, and reporting performance measures.
The process could follow these types of steps:
Define Internal Audit Effectiveness

• Review relevant IPPF guidance including Standards.
• Review the strategic plans of the internal audit activity and organization.
• Review the board, audit committee, and internal audit activity charters.
• Assess basic, expected, and targeted/preferred internal audit activity deliverables.
• Formulate an initial definition of internal audit effectiveness and efficiency.
• Define agreement from key stakeholders of the definition of effectiveness and efficiency.
▼
Identify Key Internal and External Stakeholders
• Determine key internal and external stakeholders for the activity and organization.
• Determine who directly or indirectly relies upon the internal audit activity’s work.
• Determine who benefits, directly or indirectly, from the internal audit activity’s work.
• Consider who supports the internal audit activity.
▼
Develop Measurements of Internal Audit Effectiveness
• Understand key stakeholders’ expectations of the internal audit activity.
• Understand what internal audit attributes, deliverables, and capabilities key stakeholders value and related
shortcomings or advancements in these areas.
• Develop measurement tools such as a balanced scorecard to document relevant attributes of effectiveness and
efficiency and related performance against these.
• Agree upon effectiveness and efficiency metrics with key stakeholders.
▼
Monitoring and Reporting Results
• Establish an agreed upon format and frequency for reporting that considers the organization’s size, nature, and
governance structure.
• Establish a periodic review of such monitoring and reporting to ensure relevance, efficiency, and effectiveness.
• Use the results of reporting to shape and guide internal audit activities.
• Align internal audit activities to the defined measures of internal audit effectiveness and efficiency.
Categories of Performance Information for Internal Auditing

The internal audit activity should identify key performance measurement categories such as stakeholder satisfaction, audit
processes, and internal audit innovation and capabilities. Audit processes could include risk assessment, planning, and au-
dit methodologies. Innovation and capabilities could include effective use of technology, training, and industry knowledge.
When developing performance measures, the internal audit activity should consider:
• How effective are the performance measures linked to the internal audit activity’s strategy?
• Do performance measures include both leading and lagging indicators?
• Do performance measures reflect the mandate and role of the activity?
• How effectively are performance measures used for continuous improvement?
Performance metrics can be established along dimensions, interests, and perspectives of a variety of key stakeholders.
Each perspective would include related measures.
Audit Committee
IIA Standards
Management/ Departmental Outcomes and Priorities Internal Audit
Auditees Legislation/Policy Processes
Innovation and
Capabilities
Source: Adapted from A Balanced Scorecard Framework for Internal Auditing Departments, by Mark Frigo, copyright
The IIA Research Foundation, Altamonte Springs, FL, 2002 used with permission.
Characteristics of Performance Measures: Specific Measures

Quantitative vs. Qualitative In addition to compliance with the Standards, internal
Both quantitative and qualitative metrics are important in auditing’s performance measurement objectives may in-
demonstrating an internal audit activity’s performance to clude: level of contribution to the improvement of risk
key stakeholders, and both can be benchmarked against management and control and governance processes;
accepted standards, prior performance, and/or agreed- achievement of key goals and objectives assigned; evalua-
upon expectations. tion of progress against audit plan; staff productivity; cost-
• Quantitative performance metrics are often based on efficiency of the audit process, number of action plans
existing or obtainable data and are easily understood for process improvements; effectiveness in meeting the
(e.g., percentage of completed vs. planned audits). needs of stakeholders; and the sufficiency of quality as-
They often require less effort to collect and are read- surance reviews.
ily comparable to the same metrics in other organiza-
tions. Following is an example of a balanced scorecard type
approach that an internal audit activity could use.
• Qualitative metrics are often based on the collection
of unique information through more time intensive Each of these measures would need to be carefully and
methods such as survey research or interviews. They fully defined so they could be used in a consistent, trans-
offer a broad view of performance on a range of parent, and sustainable manner.
topics that can provide depth to quantitative metrics.
Audit Committee:
• Satisfaction survey
• Risk concerns
Management/ • Plan input Internal Audit
Auditees: Processes:
• Satisfaction survey • Risk coverage
• Average number of • Percent completed vs.
recommendations IIA Standards planned audits
per audit Departmental Outcomes and Priorities • Number of
• Percent of
recommendations
Legislation/Policy recommendations/audits
• Actual vs. planned costs
implemented by • Elapsed audit time start
corrective action date to finish
• Cost savings • Conformance to policy
• Changes to processes Innovation and Capabilities: and Standards
• Staff experience • Quality assurance
• Training hours/auditor techniques developed
• Percentage of staff holding relevant designations
• Number of innovative improvements implemented
• Number of process improvements
• Percentage of surprise risk events
Monitoring and reporting Consistent processes are needed for gathering, summa-
rizing, and analyzing measurement data. Responsibility
results for performing and validating measurement data should
be established similar to any other audit engagement.
Internal auditing’s effectiveness and efficiency should be
reported to its stakeholders periodically. The CAE should The CAE may consider periodic benchmarking of its cur-
obtain feedback from key stakeholders on internal audit- rent metrics and criteria with those being used by peer
ing’s effectiveness and efficiency in reporting (e.g., for- organizations. This can help ensure current and appropri-
mat, timing, metrics) and make efforts to align reporting ate criteria are in place for measuring internal auditing’s
to their needs. effectiveness and efficiency.
Contents: What should be reported varies based on stake-

holder requirements and the organization’s specific needs.
A good practice is to survey key stakeholders to determine
their needs and expectations, which then helps define the
criteria upon which internal auditing should be measured
(see Appendix E, Survey Example). Appendix C provides
examples of effectiveness and efficiency measurement
criterion.
type of reporting: The CAE should evaluate stakeholders

to whom reporting is required and customize the report-
ing package to their individual needs.
Frequency: The frequency of reporting should be based

on stakeholder needs. Quarterly reporting on internal au-
dit effectiveness and efficiency could be a good starting
point.
Format: Standards for reporting internal audit effective-

ness and efficiency should be similar to standards followed
for reporting other audit-related information. There are
many formats for reporting, including Word, PowerPoint,
dashboards based on automated tools, and e-mail. The
chosen format should be tailored to meet stakeholders’
specific needs. For example, reporting to the board might
be less frequent and in less detail to meet its needs in
overseeing the activities of internal auditing. Reporting to
management would likely be much more detailed. Refer
to Appendix D for a dashboard reporting example.
appendix a:
reference Material
Quality Assessment Manual, by The IIA (IIA Research
Foundation, 2009).
The IIA’s Global Auditing Information Network (GAIN),

which enables organizations to compare their audit
department’s size, experience, expertise, and other metrics
against the aggregated averages of similar-sized organiza-
tions in their industry.
A Balanced Scorecard Framework for Internal Auditing

Departments, by Mark Frigo (IIA Research Foundation,
2002).
Internal Auditing: Assurance & Consulting Services, by Kurt

Reding, Paul Sobel, Urton Anderson, Michael Head, Srid-
har Ramamoorti, Mark Salamasick, and Chris Riddle (IIA
Research Foundation, 2007).
Essentials: An Internal Audit Operations Manual, by Archie

Thomas (IIA Research Foundation, 2009).
Performance Auditing: A Measurement Approach, by Ronell

Raaum and Stephen Morgan (IIA Research Foundation,
2009).
Best Practices: Value-Added Approaches of Four Innovative

Auditing Departments, by James Roth (IIA Research Foun-
dation, 2000).
Internal Audit Effectiveness: Pushing the Right Buttons,

by David Lukeman (IIA Midlands District Society –
PriceWaterhouseCoopers, March 21, 2007).
appendix b: 12. Do members of the team participate in professional

development training?
Questions that Should be Answered to 13. Have team members acquired professional
Adequately Gauge and Provide to Varied designations that demonstrate their competency?
Stakeholders Reasonable Assurance of
Internal Audit Quality 14. Has the internal audit activity obtained an
independent external quality assessment within
Source: www.theiia.org/guidance/quality. Under Advocacy, the past five years?
click on The Audit Committee: Internal Audit Oversight
1. Does the internal audit activity have a quality assur-

ance and improvement program?
2. Has the activity performed its work in accordance

with its charter?
3. Do the internal auditors adhere to The IIA’s Code of

Ethics?
4. Are internal audits conducted in conformance with

The International Standards for the Professional
Practice of Internal Auditing?
5. Does the activity operate effectively and efficiently?
6. Is the staff size adequate?
7. Are the existing skill sets appropriate?
8. Does the activity contribute to the improvement

of organizational operations, and is it perceived by
stakeholders to add value?
9. Does the activity have the tools and other resources

it needs?
10. Does the activity engage in ongoing internal reviews

and analysis of supervision, documentation, poli-
cies, and procedures?
11. Does the activity engage in periodic reviews that

include customer surveys, risk assessments, work-
paper reviews, analysis of performance metrics, and
best-practice benchmarking?
appendix C:
Examples of Internal Audit Effectiveness and Efficiency Metrics
PerForMaNCe MeasureMeNt Measures oF eFFICIeNCY

Measures oF eFFICIeNCY Measures oF eFFeCtIVeNess
CategorY aNd eFFeCtIVeNess
basic Measures • Number of audits scheduled. • Client satisfaction ratings. • Training/CPE hours.
• Number of audit completed. • Staff satisfaction ratings. • Staff turnover/retention.
• Timeliness of performance • Number of signifi cant audit
feedback. findings.
• Staff utilization – direct vs. • Percent of recommendations
indirect time. implemented.
• Completed audits per auditor. • Number of repeat fi ndings.
• Actual hours vs. budgeted • Number of open audit fi ndings
hours. past planned corrective action
• Audit report cycle time: date.
elapsed time from open- • Number of unsatisfactory
ing conference to fieldwork internal audit opinions.
completion and elapse time
from fi eldwork completion to
fi nal report.
• Number of internal audit
reports issued vs. planned
internal audits.
service to stakeholders • Responsiveness to special • Delivery of high quality • Client survey scores (see
requests. service. example survey letter in
• Average response time to • Management of auditee Appendix E).
management request. expectations. • Senior management survey
• Number of control self- • Building strong relationships. scores.
assessment (CSA) sessions • Number of management • Audit committee survey
conducted. requests. scores.
• Number of auditors per 1,000 • Number of committees and • Number of positive and
employees. task forces audit is involved negative feedback about
• Number of auditors per $1 in. audits/auditors.
million of revenue/$1 million • Amount of identified cost
of assets. savings and percent of
• Completed vs. planned audits. recoveries.
• Cost savings as a percentage
of department budget.

Knowledge of business • Applying that knowledge to

help solve complex client
issues.
• Development of deep industry
knowledge.
• Developing and contributing
best practices, emerging is-
sues, and industry trends.
• Best practices benchmarked.
technical development • Development of relevant

technical knowledge:
• Internal auditing.
• Accounting.
• Regulatory.
• Business.
• Compliance with audit
methodology set.
Innovation • Use of technology in audits. • Enhanced audit process.

• Creativity and effi ciency. • Number of best practices
• Number of internal audit identified and communicated
improvement teams and time within an organization or
spent (by team). internal audit activity.
• Number of hours spent in
industry or other specialized
training.
• Involvement in professional
organizations (e.g., IIA, audi-
tor roundtables).
• Thought leadership.

People development • Number of coaching sessions • Average months in position. • Assistance in recruiting by
in a year. • Number of staff rotations in team members (participation
• Tracking of development plan and out of the internal audit in review of resume, interview
(plan vs. actual). activity. etc.).
• Achievement of minimum • Average years of audit experi-

training hours required. ence.
• Percent of auditors with
professional certifi cations.
• Percent of auditors with
advanced degrees.
• Training hours per auditor.
• Auditor turnover.
• Number/percent of auditors
transferred/promoted to other
functions in the organization
vs. the number that left the
company.
appendix d:
Example of Reporting Internal Audit Effectiveness and Efficiency Dashboard
quaNtItatIVe Measures
area Measure target actual
q1 q2 q3 q4
Budget management. Budget vs. actual.
Delivering the annual audit plan. Percent of audit plan delivered during the year.
CustoMer serVICes
q1 q2 q3 q4
Number/types of ad-hoc requests Record to be kept of ad-hoc nonroutine requests by

received for nonroutine work. the management.
staFF satIsFaCtIoN aNd deVeloPMeNt

q1 q2 q3 q4
Staff training hours/year. Actual training hours vs. budget.
Staffi ng plan (hiring). Plan vs. actual hired.
audIt delIVerY/eFFICIeNCY
q1 q2 q3 q4
Audit reviews completed within
Budget vs. actual.
budget and to agreed target date.
Revise the audit methodology. Plan vs. actual revision.
relatIoNshIP WIth thIrd PartIes
q1 q2 q3 q4
Use of subject matter experts.
Use of SMEs for specialized work.
(SMEs)
appendix e:
Example of Customer Survey Sent After Internal Audit is Completed
Re: Internal Audit Feedback Survey
Dear XXXXX:
We recently performed an internal audit in your area. To continue to improve the level of service we provide
our customers, we would appreciate your candid feedback on the attached Internal Audit Feedback Survey.
We value the opinions of our clients and stakeholders and will use your feedback to continually evaluate the
quality of our audit services. Please send the completed survey back to me by (date).
If you have any questions, please do not hesitate to call me at (phone number).
Sincerely,
CAE or Auditor
INterNal audIt FeedbaCK surVeY
AUDIT REPORT TITLE: __________________________________________
BUSINESS OWNER: _____________________________________________
The rating scale provided below is from 5 (strongly agree) to 1 (strongly disagree).
5 4 3 2 1 Not done
strongly agree Neither disagree strongly
audIt qualItY agree agree nor disagree
disagree
1 Opening conference was held and all questions/comments were
adequately addressed.
2 The fi nal audit objectives and scope were agreed to.
3 The audit team was knowledgeable about your business.
4 The audit was completed within the timeframe communicated.
5 The audit was conducted efficiently and effectively with minimal

disruption to your business.
6 The audit was conducted in a professional and courteous man-
ner.
7 The audit team kept you informed of key issues throughout the
audit.
8 All of your key business concerns/risks were addressed during the
audit.
9 The closing conference allowed both sides to adequately discuss
and address all comments.
10 The audit report was accurate and fi ndings clearly communi-
cated.
11 The audit report fairly refl ected your team’s comments and cor-
rective action.
12 The overall audit provided value to your area.
Feel free to comment on any of the above questions.
What suggestions do you have to improve future audit quality?
Thank you for completing the above survey! Please return by (Date).
authors
Gregory S. Dubis, CIA, CCSA
Amipal Manchanda
Rita Thakkar, CIA
reviewers and Contributors

James Rose, CIA
ation. The IIA accepts no responsibility for anyone
About Practice Guides placing sole reliance on this guidance.
Practice Guides embody an IIA statement to assist
a wide range of interested parties, including those Copyright
not in the internal audit profession, in understand- The copyright of this position paper is held by The
ing significant governance, risk, or control issues IIA. For permission to reproduce, please contact
and in delineating the related roles and responsi- The IIA at guidance@theiia.org.
bilities of internal auditors on a significant issue.
Practice Guides are part of The IIA’s International
Professional Practices Framework. As part of the
Strongly Recommended category of guidance,
recommended and the guidance is endorsed by
cess. For other authoritative guidance materials
provided by The IIA please visit our Web site,

247 Maitland Ave. F: +1-407-937-1101
– Practice Guide
Quality Assurance and

Improvement Program
March 2012
Table of Contents
Introduction.................................................................................................... 2
What is Quality?........................................................................................ 2
Quality in Internal Audit............................................................................ 2
Conformance or Compliance?.................................................................... 2
Embedding Quality in Systems and Processes........................................... 3
Overview of a Quality Assurance and Improvement Program (QAIP)............... 3
Quality Assessments................................................................................. 5
Internal Assessments................................................................................ 5
External Assessments............................................................................... 7
Assessment Scale..................................................................................... 9
Developing and Implementing a QAIP........................................................... 10
Considerations in Developing a QAIP....................................................... 10
Quality Responsibilities........................................................................... 10
Continuous Improvement......................................................................... 10
Sample Approach – Program Sections Within an Internal Audit Activity.. 11
Reporting on the Quality Program............................................................ 12
Review of the QAIP.................................................................................. 13
APPENDIX A: Reference Material................................................................... 14
APPENDIX B: Engagement Supervision, Working Papers, and
Working Paper Quality Reviews..................................................................... 15
APPENDIX C: QAIP Components.................................................................... 17
APPENDIX D: Sample Element Self-assessment Methodology....................... 20
APPENDIX E: Sample Template for Performing Self-assessments................. 22
APPENDIX F: Definition of Internal Auditing................................................... 24
APPENDIX G: Code of Ethics......................................................................... 25
Executive Summary • 1300-1: Quality Assurance and Improvement Pro-

gram.
The IIA’s International Professional Practices Framework • 1310-1: Requirements of the Quality Assurance and
(IPPF) defines a quality assurance and improvement pro- Improvement Program.
gram (QAIP) as: • 1311-1: Internal Assessments.
An ongoing and periodic assessment of the entire spectrum • 1312-1: External Assessments.
of audit and consulting work performed by the internal • 1312-2: External Assessment – Self-assessment with
audit activity. These ongoing and periodic assessments are Independent Validation.
composed of rigorous, comprehensive processes; continu- • 1312-3: Independence of the External Assessment
ous supervision and testing of internal audit and consult- Team in the Private Sector.
ing work; and periodic validations of conformance with
the Definition of Internal Auditing, the Code of Ethics, • 1312-4: Independence of the External Assessment
and the Standards. This also includes ongoing measure- Team in the Public Sector.
ments and analyses of performance metrics (e.g., internal • 1321-1: Use of “Conforms with the International
audit plan accomplishment, cycle time, recommendations Standards for the Professional Practice of Internal
accepted, and customer satisfaction). If the assessments’ re- Auditing.”
sults indicate areas for improvement by the internal audit
activity, the chief audit executive (CAE) will implement All CAEs are required to develop a QAIP that includes
the improvements through the QAIP. both internal and external assessments. Internal assess-
ments will include both ongoing monitoring and periodic
The following International Standards for the Professional self-assessment. External assessments may be either a full
Practice of Internal Auditing (Standards) are relevant to the external assessment or a self-assessment with indepen-
development of a QAIP: dent validation.
• 1300: Quality Assurance and Improvement Program. Under the QAIP, quality should be assessed at both an
• 1310: Requirements of the Quality Assurance and individual audit engagement level as well as at a broader
Improvement Program. internal audit activity level. A well-developed QAIP will
ensure that quality is built in to, rather than on to, the
• 1311: Internal Assessments.
way the internal audit activity operates. In other words, an
• 1312: External Assessments. internal audit activity should not need to assess whether
• 1320: Reporting on the Quality Assurance and each individual engagement conforms to the Standards.
Improvement Program. Rather, engagements should be undertaken in accordance
with an established methodology that promotes quality
• 1321: Use of “Conforms with the International
and, by default, conformance with the Standards.
Standards for the Professional Practice of Internal
Auditing.”
This document provides guidance on the key elements
• 1322: Disclosure of Non-conformance. of a QAIP. It covers those elements required for confor-
Additional guidance on applying these Standards can be mance with the Standards as well as elements that consti-
found in the following IIA Practice Advisories: tute better practice. QAIPs need to be tailored to the spe-
cific needs of each internal audit activity and, therefore,
may come in a myriad of forms. However, this document Quality in Internal Audit
provides a generic framework for developing a QAIP that
Quality in internal audit is guided by both an obligation
could be applied regardless of the size or nature of the
to meet customer expectations as well as professional
internal audit activity.
responsibilities inherent in conforming to the Standards
(described in the Context section). While predominantly
Introduction complementary, it is a challenge for the CAE to achieve
both these requirements.
What is Quality?
Quality is not absolute. The quality of a product or service
Internal auditing is an independent, objective assurance and
is the degree to which the product or service meets the
consulting activity designed to add value and improve an
customer’s expectations — the degree to which it is fit for
organization’s operations.
purpose.
(Extract from the IPPF Definition of Internal Auditing)
Delivering quality requires a systematic and disciplined
approach as professionals — quality does not just happen.
Standards 1300 through 1312 specifically require the
It is the combination of the right people, the right sys-
CAE to develop a QAIP incorporating both internal (self)
tems, and a commitment to excellence. It is driven by the
assessments and external assessments. However, beyond
leaders of the organization who are responsible for setting
these specific standards, internal audit as a profession
the “tone at the top.”
should maintain a formal, structured approach to quality.
This includes operating with proficiency and due profes-
Quality has both retrospective and forward-looking ele-
sional care, undertaking continuing professional develop-
ments. It includes an analysis of the degree to which
ment, and conforming to a set of recognized standards.
existing products and services are fit for purpose and
Each of these allows internal audit to differentiate itself
conform with standards, the efficiency of the service de-
from non-professional areas.
livery process, as well as an assessment of the degree to
which current practices will meet emerging stakeholder
Under the IPPF, the CAE may state that the internal au-
expectations.
dit activity conforms with the Standards only if the results
of the QAIP support this statement. When non-confor-
Given the different elements of quality, recognizing who
mance with the Definition of Internal Auditing, the Code
the customers and stakeholders are is a key step in the
of Ethics, or the Standards impacts the overall scope or
quality process. For an internal audit activity, this could
operation of the internal audit activity, the CAE must dis-
include the board, senior management, the external audi-
close the non-conformance and the impact to senior man-
tor, and operational managers. It also could include cus-
agement and the board.
tomers and stakeholders of the broader organization such
as shareholders, oversight organizations, regulators, and
government agencies.
Conformance or Compliance?
Conformance with standards is a technical term borrowed
from the quality management discipline. It is not about
complying with the letter of the standard. Someone who is
in conformance with a standard is expected to achieve the activity itself.

spirit of the standard. This is consistent with a principles- • The effectiveness2�of continuous improvement activi-
based approach.1 ties and adoption of best practices.
• Whether the internal audit activity adds value, im-
Embedding Quality in Systems
proves the organization’s operations, and contributes
and Processes
to the attainment of objectives.
Quality in internal audit begins with the structure and
To achieve comprehensive coverage of all aspects of the
organization of the audit activity. Quality should be
internal audit activity, a QAIP must effectively be applied
built in to, and not on to, the way the activity conducts
at three fundamental levels (or perspectives):
its business — through its internal audit methodology,
policies and procedures, and human resource practices.
• Internal Audit Engagement Level (self-assess-
Each of these should be premised on a common under-
ment at the audit, engagement, or operational level):
standing of quality and stakeholder perception of value.
Ultimately, the QAIP should measure whether internal The engagement supervisor (possibly a manager or
audit is meeting its own objectives, as well as those of the CAE) is responsible for providing assurance that:
the broader organization. – Appropriate processes have been used to translate
audit plans into specific, appropriately resourced
Overview of a Quality audit engagements.
Assurance and Improvement – Planning, fieldwork conduct, and reporting/com-

municating results conform to the Definition of
Program (QAIP) Internal Auditing, the Code of Ethics, and the
Standards.
A QAIP should conclude on the quality of the internal au-
– Appropriate mechanisms are established and used
dit activity and lead to recommendations for appropriate
to follow-up management actions in response to
improvements. It enables an evaluation of:
audit recommendations.
• Conformance with the Definition of Internal Audit- – Post-engagement client surveys, lessons learned,
ing, the Code of Ethics, and the Standards. self-assessments, and other mechanisms to sup-
• The adequacy of the internal audit activity’s charter, port continuous improvement are completed.
goals, objectives, policies, and procedures. • Internal Audit Activity Level (self-assessment at
• The contribution to the organization’s governance, the internal audit activity or organizational level):
risk management, and control processes. The CAE is responsible for providing assurance that:
• Completeness of coverage of the entire audit universe. – Written policies and procedures, covering both
• Compliance with applicable laws, regulations, and technical and administrative matters, are formally
government or industry standards to which the inter- documented to guide audit staff in consistent
nal audit activity may be subject. conformance with the Definition of Internal Au-
diting, the Code of Ethics, and the Standards.
• The risks affecting the operation of the internal audit
1
Chartered Institute of Internal Auditors UK and Ireland, Professional guidance for internal auditors – Quality assurance and improvement programmes, 2007
2
Consideration could be given to The IIA’s Practice Guide, Measuring Internal Audit Effectiveness.
– Audit work conforms to written policies and – The CAE must ensure that the internal audit
procedures. activity undergoes an external assessment (either
– Audit work achieves the general purposes and re- an independent external assessment or a self-
sponsibilities described in the internal audit charter. assessment with independent validation) at least
once every five years by an independent assessor
– Audit work conforms to the Definition of Internal or assessment team from outside the organization
Auditing, the Code of Ethics, and the Standards. that is qualified in the practice of internal audit-
– Internal audit work meets stakeholder expecta- ing as well as the quality assessment process.
tion. – External assessors express an opinion on the
– The internal audit activity adds value and im- entire spectrum of assurance and consulting work
proves the organization’s operations. performed (or that should have been performed)
by the internal audit activity, including its confor-
– Resources for the internal audit activity are ef-
mance with the Definition of Internal Auditing,
ficiently and effectively utilized.
the Code of Ethics, and the Standards. Assessors
• External Perspective (independent external assess- also conclude on the efficiency and effectiveness
ment of the entire internal audit activity including of the internal audit activity in carrying out its
individual engagements): charter and meeting the expectations of stake-
holders.
Quality Assurance and Improvement Program (QAIP) Framework
Continuous
Improvement of IA
Processes
Reporting & Follow Up

Quality Built Into an IA Activity
Internal Audit Activity

Findings Observations &
Improvement of QAIP
Recommendations
Continuous
Professional Practice
Communication
Governance
External Assessment
Ongoing Monitoring
Periodic Self
Assessment
Quality Assurance Over

Entire IA Activity
Diagram 1
Diagram 1 on page 4 provides a framework for embed- along with some of the key objectives to be assessed, have
ding quality assurance and continuous improvement into been included in Appendix C — QAIP Components.
an internal audit activity. The framework considers three
separate activities or sections within an internal audit ac- Internal Assessments
tivity: governance, professional practice, and communica- Internal quality assessments are comprised of two interrelat-
tion. These activities are discussed further in the “Sample ed parts: ongoing monitoring and periodic self-assessment3.
Approach — Program Sections Within an Internal Audit
Activity” section on page 11 and in Appendix C — QAIP Ongoing Monitoring
Components.
Ongoing monitoring provides assurance that the pro-
The QAIP framework assumes that quality is built in to cesses in place are working effectively to ensure qual-
(and not on to) the structure of the internal audit activity ity is delivered on an audit-by-audit basis. It is primarily
and that quality assessments are undertaken over the en- achieved through continuous monitoring activities includ-
tire activity. As per the Standards, quality assessments take ing engagement planning and supervision, standard work-
the form of ongoing monitoring, periodic self-assessment, ing practices, working paper procedures and signoffs, and
and external assessment. Each of these types of assess- report reviews. Additional mechanisms include:
ments is discussed further in the “Quality Assessments”
• Acquiring feedback from audit clients and other
section below.
stakeholders.
The framework is intended as guidance only. CAEs may • Assessing audit engagement readiness prior to
develop their own QAIP structure; however, the common fieldwork by looking for items like pre-approval of
elements of all QAIPs are that they: the audit scope, innovative best practices, budgeted
hours, and assigned staff (expertise).
• Cover all aspects of the internal audit activity. • Using checklists or internal audit automation to give
• Enable an evaluation of conformance with the Defi- assurance on whether processes adopted by the in-
nition of Internal Auditing, the Code of Ethics, and ternal audit activity (e.g., internal audit policies and
the Standards. procedures manuals) are being followed.
• Assess the efficiency and effectiveness of the inter- • Using measures of project budgets, timekeeping
nal audit activity. systems, and audit plan completion to determine if
• Identify opportunities for improvement. appropriate time is spent on different aspects of the
audit process, as well as high risk and complex areas.
Quality Assessments • Analyzing other performance metrics to measure
Assessments, whether internal self-assessments or exter- stakeholder value.
nal assessments, should include coverage of the entire Any weaknesses or areas for improvement should be ad-
internal audit activity. Using the model presented in Dia- dressed on an ongoing basis, as they are identified, and
gram 1 on page 4, this would include the quality of the the results of ongoing monitoring must be reported to the
governance activities and structures, professional prac- board at least annually.
tices, and communication processes. The main elements,
3
The term “periodic reviews,” used by The Institute of Internal Auditors in the IPPF, has been replaced by “periodic self-assessment” throughout this practice guide.
Periodic Self-assessment Standards). The QAIP should document and define a

A periodic self-assessment has a different but interrelated systematic and disciplined approach to the periodic self-
focus to ongoing monitoring. Periodic self-assessments fo- assessment process, including how to accomplish the
cus on evaluating: periodic self-assessments and define the scope of activ-
ity for each interim year between the external quality as-
• Conformance with the internal audit charter, The sessments. This complement of ongoing monitoring and
IIA’s Definition of Internal Auditing, the Code of periodic self-assessments provides an effective structure
Ethics, and the Standards. for continuous assessment of internal audit conformance
and improvement opportunities.
• The quality of the audit work, including adherence to
the internal audit methodology for selected engage- The main objectives of periodic self-assessments are:
ments. • To identify the quality of ongoing performance and
• The quality of supervision. opportunities for improvement in internal audit pro-
• The infrastructure, including the policies and proce- cesses and procedures.
dures, supporting the internal audit activity. • To check and validate the objectives and criteria
• The ways the internal audit function adds value to used in the QAIP to determine whether they are still
the organization. up to date, adequate, and valid.
• The achievement of performance standards/indicators. Periodic self-assessments may include in-depth interviews
and surveys of stakeholder groups, as well as benchmark-
Periodic self-assessments should be conducted through: ing the internal audit activity’s practices and performance
• Working paper reviews for conformance with the metrics against relevant best practices.
Definition of Internal Auditing, the Code of Ethics,
the Standards, and internal audit policies and proce- Following a self-assessment, an action plan should be de-
dures by staff not involved in the respective audits. veloped to address any identified areas for improvement.
This plan should include proposed timelines for actions.
• Self-assessment of the internal audit activity with The result of the periodic self-assessments and the level
objectives/criteria established as part of the QAIP of conformance to the Standards must be reported to the
(See Appendix C for further definition of the key board at the completion of the self-assessment.
components of governance, professional practice,
and communication). Periodic self-assessments are generally conducted by se-
• Review of internal audit performance metrics and nior members of the internal audit activity, quality man-
benchmarking of best practices. agement staff with IPPF expertise (where a quality or
• Periodic activity and performance reporting to the quality management department exists), CIAs, or other
board and other stakeholders as deemed necessary. competent audit professionals assigned elsewhere in the
organization. Whenever possible, it is advantageous to in-
A well-designed periodic self-assessment program pro- clude internal audit staff on a rotational basis in quality
vides the CAE with information related to confor- assessment activities. This provides a useful training op-
mance with the Standards (Attribute and Performance portunity for internal audit staff.
Appendix B contains further information on internal as- out its charter and meeting the expectations of stakehold-
sessment processes including engagement supervision, ers. The external assessment report also should include, as
working papers, and quality assurance file reviews. appropriate, recommendations on how management can be
improved and how the internal audit activity can add value
to the organization. Following an external assessment, an
“Quality means doing it right when no one is looking.” action plan should be developed to address any opportuni-
– Henry Ford ties identified. The results of external assessments must be
reported to the board or audit committee.
External Assessments
Independence is critical to assuring an objective external
External assessments must be conducted at least once ev-
assessment. Specific issues to consider have been high-
ery five years by an independent assessor or assessment
lighted in the following IIA Practice Advisories:
team from outside the organization that is qualified in the
practice of internal auditing as well as the quality assess-
• 1312-3: Independence of the External Assessment
ment process.
Team in the Private Sector.
There are two approaches to the conduct of external • 1312-4: Independence of the External Assessment
assessments: Team in the Public Sector.
An external assessment may be undertaken by individu-

• A full external assessment involves the use of a quali-
als or organizations with specific expertise in the external
fied, independent assessor or assessment team to
quality assessment process (such as an IIA Institute or a
conduct the full assessment.
service provider) or through a peer review process.
• A self-assessment with independent (external) vali-
dation involves the use of a qualified, independent Peer Review
assessor or assessment team to conduct an indepen-
Peer review arrangements can provide a cost-effective ap-
dent validation of the self-assessment completed by
proach to meeting the requirements of Standard 1312,
particularly for small internal audit activities. However,
Further detail and guidance on external assessments can peer reviewers are required to meet the independence
be found in IIA Practice Advisories: and qualifications criteria specified in the Standard. The
following briefly outlines some of the key considerations
• 1312-1: External Assessments. (further details are available in the four previously identi-
fied practice advisories):
• 1312-2: External Assessments: Self-Assessment with
Independent Validation.
• All members of the assessment team who perform
Regardless of the approach, external assessors express an the external assessment are to be independent of
opinion on the entire spectrum of assurance and consulting that organization and its internal audit activity per-
work performed (or that should have been performed) by sonnel. Real, potential, and perceived conflicts of
the internal audit activity, including its conformance with interest should be considered.
the Definition of Internal Auditing, the Code of Ethics, and • Individuals from within the same private sector
the Standards. Assessors also conclude on the efficiency organization but from another department or from a
and effectiveness of the internal audit activity in carrying related organization (such as a parent organization,
an affiliate in a group of entities, or an entity with Self-assessment with Independent Validation for
regular oversight) are not considered independent for Small Internal Audit Activities
purposes of conducting an external assessment. Self-assessments with independent validation provide a
• Within the public sector, individuals working in valuable alternative for meeting the requirements of Stan-
separate internal audit activities in a different entity dard 1312 for some internal audit activities. In particu-
within the same tier of government may be consid- lar, small internal audit activities and activities that have
ered independent for purposes of conducting exter- recently undergone a full external assessment may find
nal assessments, as long as they do not report to the these useful. While they have some limitations — in that
same CAE. the validator does not have the opportunity to provide as
• Two organizations may not review each other mutually. comprehensive an overview of the internal audit activity
as an external assessor would for a full external assess-
Reciprocal external assessment teaming arrangements be- ment — they offer the following benefits:
tween three or more organizations (e.g., within an indus-
try or other affinity group, regional association, or govern- • Validations of self-assessments should be less expen-
ment departments) may be structured in a manner that sive than full external assessments.
achieves the independence objective as described in the
following diagram: • Self-assessments offer opportunities for staff devel-
opment.
• Self-assessments may be able to be linked more
closely to the periodic monitoring element of internal
assessments.
Organization
1 The CAE considers the relative skills and experience of
the team or assessor chosen to undertake the self-assess-
ment. The assessor or team prepares a self-assessment
report that includes judgement on conformance to the
Standards, which is provided to the validator.
Linkage to the QAIP

A fully functioning QAIP includes ongoing monitoring
Organization Organization to ensure quality on an audit-by-audit basis, and periodic
3 2
self-assessment to ensure conformance to the Standards
and other rules and regulations. With such a process in
place, the external assessment should effectively become
an opportunity to obtain new ideas from the assessor or
Diagram 2 assessment team on ways to improve overall internal audit
quality, efficiency, and effectiveness. The focus can move
from conformance to new and innovative ways to better
service their stakeholders and provide meaningful results.
There should not be any surprises since the periodic self-
assessment should provide insight into conformance on
an on-going basis.
Assessment Scale • IIA Capability Model for the Public Sector:�6 Initial/
Infrastructure/Integrated/Managed/Optimizing.
A QAIP should include a rating scale to assess the lev-
el of conformance of the internal audit activity with the • DIIR (IIA–Germany) Guideline for Conducting a
Standards. Different options are available when decid- Quality Assessment:7� 3–Satisfactory/2–Room for Im-
ing which assessment scale better suits particular needs. provement/1–Significant Improvement Needed/
Some of those options include: 0–Unsatisfactory/Not Applicable).
A comparison of the first two of these assessment scales is
• IIA Quality Assessment Manual Scale:4 Does Not provided in the following diagram.
Conform/Partially Conforms/Generally Conforms.
• The IIA’s Assessment Scale — IIA Path to Quality:5�
Introductory/Emerging/Established/Progressive/
Advanced. Diagram 3
Assessment Scales
Generally Conforms Effectiveness
Opportunities
And QA Manual
Partially Conforms For Assessment Scale
Improvement Efficiency
Does Not Conform Of IAA
Innovates Best Practices
Leading Strategic Partner
Leader in IA Profession
Beyond Conforming Emphasizes Best Practice
Leveraging Anticipates Change
Expanding Roles
Generally Conforms
Conforming Conforming External Assessment
Continuous Improvement
Partially Conforms
Emerging Self Assessment
Non-Conforming Action Plans Path to Quality
Beginning
Innovates
Does Not Conform (Maturity Model) Scale
New Internal Audit Activity QAIP
The Standards do not require one particular assessment scale be used. Rather, the Standards require that the degree of
conformance with the IPPF be assessed. The CAE or the external reviewer may choose the QA Manual Assessment Scale,
the Path to Quality scale, IIA–Germany’s scale, or any other scale that assesses levels of conformance.
4
The Institute of Internal Auditors’ Quality Assessment Manual for the Internal Audit Activity, 6th Edition.
5
The Institute of Internal Auditors, The Path to Quality — Maturity Model for Implementing a QA&IP.
6
The Institute of Internal Auditors Research Foundation, Internal Audit Capability Model (IA-CM) for the Public Sector.
7
Deutsches Institut für Interne Revision e.V. (IIA–Germany), Guidelines for Conducting a Quality Assessment (QA), September 2007.
Developing and Implementing the allocation of appropriate resources, as well as within

the documented QAIP.
a QAIP
Responsibility for specific QAIP activities should take
Considerations in Developing a QAIP into account the qualifications and experience of staff.
There are numerous ways to develop a QAIP, and the de- It is important that all staff is fully acquainted with the
sign should be appropriate to the size, structure, and na- QAIP, and that specific staff responsible for activities,
ture of the internal audit activity. such as periodic self-assessments, have appropriate cred-
ibility and authority within the internal audit activity.
A key aspect to developing a QAIP is to determine:
Continuous Improvement
• The role of internal audit management and staff in The primary objective of a QAIP is to promote continuous
the quality process. improvement. This should occur in a planned, method-
• The activities that are covered through ongoing ological manner. The Deming Cycle8, or Plan, Do, Check,
monitoring, periodic self-assessment, or external as- Act Model, provides a structure that may be useful in es-
sessments. tablishing the QAIP.
• The frequency of self-assessments and external as-
sessments.
Deming Cycle
• The level of quality, or maturity, desired by the inter-
nal audit activity and expected by its stakeholders.
“Quality is never an accident; it is always the result Plan

of intelligent effort.”
– John Ruskin
Quality Responsibilities
The CAE is responsible for developing the QAIP and
should lead by example by embedding quality into the
Act Do
internal audit activity. However, the entire internal audit
activity is responsible for delivering quality. Internal audi-
tors, as professionals, should be committed to delivering
quality services.
Allocating specific responsibilities for developing, deliver-

Check Diagram 4
ing, and monitoring the QAIP will vary for each internal
audit activity. Regardless, these accountabilities should be
articulated in audit planning documentation to allow for To embed continuous improvement, one of the first tasks
is to put into practice a performance measurement frame-
8
http://www.balancedscorecard.org/TheDemingCycle/tabid/112/Default.aspx
work. Regular reporting on the defined quality metrics Recommendations for improvement need to be captured
should provide information about the status of those mea- and formalized. This summary action plan should be con-
sures and any deviation from the standards set, thus al- tinuously updated with new recommendations, status of
lowing timely corrective action to be taken, if required. actions underway, and items completed.
The measures adopted should be checked regularly to de-
termine whether they are generating quality as planned Follow-up action should be taken to ensure appropri-
(e.g., by carrying out ongoing monitoring or periodic self- ate improvements are implemented. This could occur
assessments). These should assess existing processes and through periodic self-assessments and should be reported
investigate the extent to which internal audit is complying to the board. All QAIP efforts should include appropriate
with the set standards, as well as the possible existence of and timely modification of resources, technology, process-
quality shortfalls. The defined quality criteria should be es, and procedures as indicated by monitoring and assess-
reviewed in terms of their appropriateness and continuing ment activities.
validity, and undergo further development as required.
Sample Approach — Program Sections With-
in an Internal Audit Activity
“It is not enough to do your best. You must know A standards-based approach to a QAIP would utilize the
what to do, and then do your best.” IPPF as the basis of the QAIP and identify how each of
– Edwards Deming the Standards could be assessed using ongoing monitor-
ing, periodic self-assessment, or external assessments.
Use should be made of the knowledge and ideas of staff, While this type of approach provides the internal audit
whose suggestions for improvement should be actively activity and its stakeholders with assurance regarding
sought. Suggestions and requests made by audit clients, the activity’s conformance to the Standards, it is limited
or comparisons made with other comparable audit groups in terms of its ability to measure the performance of the
in other organizations, should be utilized. A mechanism to internal audit activity against stakeholder and customer
record the input of all auditors and stakeholders should be expectations. An alternative approach would be to base
established to prevent ideas from being lost. the QAIP around program sections or areas. This would
allow for consideration of stakeholder expectations along-
Using the Deming Cycle, the QAIP continuous improve- side requirements under the Standards.
ment process contains four key elements that operate in
an interactive manner: The following diagram (Diagram 5), which structures the
QAIP around the three specific activities identified in
• Formal documentation of standards and expected the QAIP framework, provides an example of a program-
practices (PLAN). based approach. These three activities are governance,
professional practice, and communication. The main el-
• Development activities to define quality and build
ements in each activity, along with some key objectives
staff awareness of standards and expectations (DO).
of the assessment, have been described in Appendix C.
• Various forms of assessment and review to measure Professional judgement should be used to determine the
product or process quality (CHECK). applicability of these elements for each particular organi-
• Undertaking improvement initiatives and document- zation, as well as to identify any additional elements.
ing lessons learned (ACT).
Program Based QAIP Structure
Governance Professional Practice Communication

IA Charter Roles and Responsibilities Communicating Results
IPPF Risk-based Audit Planning Follow Up
Legislation Other Assurance Providers Stakeholder Communications
Independence & Objectivity Audit Engagement Planning
Risk Management Performing the Engagement
Resourcing Proficiency &
Due Professional Care
Quality Assurance
Diagram 5
Assessment Methodology draft criteria, and preliminary methodology, has been

For each of the elements, objectives and criteria should provided in Appendix D. In addition, a sample template
be identified along with the methodology or documenta- which could be used to document findings and observa-
tion, which should be examined to determine the level of tions of each element has been provided in Appendix E.
conformance with the Definition of Internal Auditing, the
Code of Ethics, the Standards, and stakeholder expecta- Reporting on the Quality Program
tions. Once the documentation has been examined and The results of ongoing monitoring must be communicated
an assessment of the objective completed, a rating should annually to the board and other appropriate stakeholders.
be determined using the assessment scale adopted by the Further, the results of any periodic self-assessments or ex-
organization. Any deficiency or recommendation should ternal assessments, and the level of conformance with the
be documented at this point and appropriate action taken Standards, must be reported to the board after their com-
to implement any action plan. pletion. The QAIP and the resulting action plan (some-
times referred to as a management action plan) should be
An example of the methodology which could be used for made available to external assessors and be robust enough
the assessment of the elements, including the objective, for external reliance.
“Program Section” Assessment Methodology
Governance Professional Reporting

Practice
Program Program Program Program Program Program elements are also

Elements Elements Elements Elements Elements assessed for Governance and
Reporting sections
An objective is defined
Objective for each element
Criteria are identified for each

Criterion 1 Criterion 2 Criterion 3 objective (the number of these
may vary)
A QA process
Methodology Methodology Methodology Methodology Methodology Methodology (methodology) is
QA Process QA Process QA Process QA Process QA Process QA Process developed for each
criterion
Assessment Assessment Assessment Assessment Assessment Assessment
Quality Assessment Results

Diagram 6
QA results are captured back into continuous improvement and reported to stakeholders
Review of the QAIP • Follow-up actions from previous assessments and/or

reviews.
The QAIP also should be reviewed at least annually and
individual sections of the program should be updated • Other changes that could impact the quality man-
throughout the year as required. The inputs to the review agement system.
include, but should not be limited to: • Recommendations for improvement.
• New and revised standards, policies, and procedures.
• Results from quality assessments.
• Customer (user) feedback.
• Status of resulting action plans.
Appendix A: Internal Audit Capability Model (IA-CM) For the Public

Sector, IIA Research Foundation, 2009.
Reference Material http://www.theiia.org/bookstore/product/internal-audit-
The IIA’s Practice Guide, Assisting Small Internal Audit capability-model-iacm-for-the-public-sector-1422.cfm
Activities in Implementing the International Standards for
the Professional Practice of Internal Auditing, April 2011. International Professional Practices Framework (IPPF),
The Institute of Internal Auditors, January 2011.
http://www.theiia.org/guidance/standards-and-guidance/
ippf/practice-guides/assisting-small-internal-audit-activi- http://www.theiia.org/bookstore/product/international-
ties-in-implementing-the-international-standards-for-the- professional-practice-framework-2011-1533.cfm
professional-practice-of-internal-auditing/
http://www.theiia.org/bookstore/product/international-
Essentials: An Internal Audit Operations Manual, IIA professional-practice-framework-2011-cdrom-1534.cfm
Research Foundation, 2009.
Path to Quality — Maturity Model for Implementing a
http://www.theiia.org/bookstore/product/essentials-
QA&IP, The Institute of Internal Auditors.
internal-auditing-operations-manual-1070.cfm
http://www.theiia.org/guidance/quality/the-external-qual-
Guidelines for Conducting a Quality Assessment (QA), ity-assessment-process/path-to-quality/
September 2007, DIIR - Deutsches Institut für Interne
Revision e.V. (IIA–Germany) Professional guidance for internal auditors – Quality assur-
ance and improvement programmes, Chartered Institute
http://www.diir.de/fileadmin/zertifizierung/qa/downloads/
of Internal Auditors UK and Ireland, 2007.
QA-Guideline-english.pdf
www.iia.org.uk/download.cfm?docid=4CCF8AEF-
IIA Guidance & Resources, Quality Web page. 3D39-49B7
http://www.theiia.org/guidance/quality/
Quality Assessment Manual for the Internal Audit
Activity, 6th Edition, IIA Research Foundation, 2009.
IIA Standard 1312: External Quality Assessments:
Results, Tools, Techniques and Lessons Learned – http://www.theiia.org/bookstore/product/quality-assess-
Download PDF, IIA Research Foundation, 2007. ment-manual-6th-edition-1392.cfm
http://www.theiia.org/bookstore/product/iia-standard-
http://www.theiia.org/bookstore/product/quality-assess-
1312-external-quality-assessments-results-tools-tech-
ment-manual-6th-edition-cdrom-1396.cfm
niques-and-lessons-learned-2007-1399.cfm
Implementing the International Professional Practices

Framework, Updated 3rd Edition, IIA Research
Foundation, 2011.
http://www.theiia.org/bookstore/product/implementing-
the-international-professional-practices-framework-3rd-
edition-1423.cfm
Appendix B: • Ensuring that work is achieved within resource bud-

gets (time and expense control), or that variations are
Engagement Supervision, Working Papers, approved.
and Working Paper Quality Reviews • Ensuring that internal audit staff are trained and
Engagement Supervision developed, and employee performance evaluations
are completed.
Adequate supervision is the most fundamental element of
any quality control process. Supervision is a process that Working Papers
begins with planning and continues throughout the per- Engagement working papers generally:
formance and communication phases of the engagement.
• Provide the principal support for engagement com-
Engagement supervision is intended to ensure that internal munications.
audit staff at all levels are appropriately supervised through-
out audit engagements to monitor progress, assess quality, • Aid in the planning, performance, and review of
and provide coaching. The extent of supervision will de- engagements.
pend on the experience and training of the individual audi- • Document whether the engagement objectives were
tor and the size of the internal audit activity. Particular care achieved.
should be taken to ensure that all work by trainee auditors • Facilitate third-party reviews.
is subject to comprehensive supervision. The work of out-
side resources, such as consultants, also should be super- • Provide a basis for evaluating the internal audit activ-
vised and monitored. Supervision should include: ity’s audit program.
• Provide support in circumstances such as discus-
• Ensuring conformance with the Definition of Inter- sions with management, fraud cases, and lawsuits.
nal Auditing, the Code of Ethics, the Standards, and • Aid in the professional development of internal audit
the organization’s policies and procedures. staff.
• Providing suitable instructions at the outset of an • Demonstrate the internal audit activity’s confor-
audit engagement. mance with the Definition of Internal Auditing, the
• Approving audit objectives, scope, and work plans Code of Ethics, and the Standards.
prior to the commencement of fieldwork.
Working Paper Quality Reviews
• Ensuring audits are conducted as planned or that
Quality assurance at the engagement level is provided pri-
variations are approved.
marily by the audit team, through their exercise of due pro-
• Ensuring that appropriate audit techniques are used. fessional care during the audit engagement. Quality checks
• Ensuring that audit findings, conclusions, and rec- and management oversight should be carried out continu-
ommendations are adequately supported by relevant, ally during the audit engagements to ensure conformance
reliable, and sufficient evidence. with the Definition of Internal Auditing, the Code of Eth-
• Ensuring that appropriate working papers have been ics, the Standards, and internal policies and procedures.
prepared and maintained.
Working paper quality reviews should be performed on se-
• Ensuring that reports are accurate, objective, clear, lected audits as part of both the ongoing monitoring and
concise, and timely. periodic self-assessment processes. The objectives of the
review of completed files is to establish that sufficient, approvals, rationale for changes, and evidence of supervi-
relevant work was performed to substantiate the findings sory review.
contained in the internal audit reports, and that the infor-
mation was effectively reported to the engagement client Equally important, the reviewer should document evi-
on a timely and factual basis. The reviewer also will verify dence of the quality assurance review. Although time-con-
that agreed upon procedures have been performed in an suming, these procedures bring credibility and confidence
efficient and effective manner. The review may include, to those circumstances where internal auditors are called
but is not limited to: on to explain their work. The quality assurance reviewer
should ensure that all schedules are footed and all appro-
• Ensuring that the audit engagement, audit objec- priate sign‑offs are present. The quality assurance review-
tives, criteria, and approach were appropriate. er should check to make sure that the entire report and
• Ensuring that conclusions and recommendations working papers are in conformance with the Standards.
were reached based on relevant and sufficient The reviewer is encouraged to make suggestions that will
evidence. improve the quality of the audit report and working papers
without significantly increasing time consumption. This
• Ensuring reports were accurate, objective, clear, could include action plans and links back to the Continu-
concise, and timely. ous Improvement element of the Deming Cycle.
• Ensuring that appropriate supervision was provided
throughout the audit process and that responsibility In addition to the internal working paper quality reviews,
was delegated to the appropriate individual. a sample of working paper files should be independently
reviewed as part of the external quality assessment.
• Reviewing the audit policies and procedures used for
each engagement to ensure conformance with ap- Considerations for Small Internal Audit Activities
plicable planning, performance, and communication
standards. Working in a small internal audit activity presents spe-
cific challenges with regards to engagement supervision
Working paper quality reviews should be conducted after and working paper reviews. These challenges are further
the lead internal auditor and designated supervisor have compounded in a sole auditor activity.
completed their review of the working papers.
In sole auditor activities, the internal auditor may seek as-
The same professional care should be taken with working sistance from other parts of the organization to undertake
paper quality reviews as with other internal audit efforts, quality assurance activities, provided this does not impact
including adequately planning the review, documenting the independence of internal audit. The internal auditor
findings, developing supportable recommendations, and also may look to peers in other organizations for support.
soliciting engagement client comments. Using checklists can assist in providing assurance over au-
dit quality.
Working paper quality reviews should be performed on a
regular, ongoing basis. The review should consist of en- The IIA Practice Guide, Assisting Small Internal Audit
suring that the audit report is free of defects, as well as Activities in Implementing the International Standards for
a detailed review of the audit comments and supporting the Professional Practice of Internal Auditing, provides fur-
working papers to certify the accuracy of statements made ther guidance regarding quality assurance in small audit
and the appropriateness of conclusions reached. The re- activities.
viewer should be able to quickly find supporting evidence,
Appendix C: – The organizational status of the internal audit

activity is sufficient to permit accomplishment of
QAIP Components the objectives.
– Broader organizational governance arrangements
Section I: Governance provide assurance regarding auditor indepen-
The main elements, along with some of the key objectives, dence and objectivity.
to be assessed in the Governance section include: • Risk Impacting the Internal Audit Activity:
– Risks impacting the internal audit activity have
• Internal Audit Charter:
been identified and managed.
– Internal audit’s purpose, authority, and responsi-
• Resourcing:
bility are formally defined in a charter, consistent
with the Definition of Internal Auditing, Code of – The appropriate level of financial and IT re-
Ethics, and the Standards. sources are available to the internal audit activity
to enable it to achieve its objectives in an efficient
– The internal audit strategy is aligned with the
and effective manner.
organizational strategy.
– The internal audit activity’s charter provides as- Section II: Professional Practice
surance that the internal audit activity will add
The main elements, along with some of the key objectives,
value and improve the organization’s operations.
to be assessed in the Professional Practice section include:
– The internal audit activity’s charter, mission state-
ment, goals, and similar documents are imple- • Roles and Responsibilities:
mented in an effective manner. – Roles and responsibilities of staff within the inter-
• International Professional Practices Framework nal audit activity are formally documented.
(IPPF):
– The internal audit activity has fulfilled its respon-
– The internal audit activity is in conformance with sibilities in regards to governance, risk manage-
the Definition of Internal Auditing, Code of ment, and control.
Ethics, and the Standards.
• Risk-based Audit Planning:
• Legislation:
– The audit planning process is aligned with the
– The internal audit activity is in compliance with organization’s strategic objectives.
other applicable laws, regulations, or policies.
– The perspectives of senior management and the
• Independence and Objectivity: board are considered in audit planning.
– The internal audit activity’s structure, objectiv- – The process of audit planning ensures that all
ity, roles and responsibilities, and key governance activities of the organization are considered for
processes are appropriate for managing the func- audit, subjected to a risk assessment, ranked in
tion. order of priority, and that appropriate audit objec-
– The internal audit activity is independent and tives for each audit selected have been estab-
objective in the performance of its work. lished. This may include documentation of an
audit universe.
• An effective annual planning process exists including • Proficiency and Due Professional Care:
appropriate processes for the reporting of progress – The internal audit activity collectively possesses
toward achieving the established plan. or sources the knowledge, skills, and other com-
• Coordination with Other Assurance Providers: petencies to perform its responsibilities.
– Internal audit activities are coordinated with – Internal auditors display due professional care in
those of other assurance providers. the performance of their responsibilities.
• Audit Engagement Planning: – Continuing professional development is provided
– Risks relevant to the activity under review are to allow internal auditors to enhance their knowl-
assessed. The engagement objectives reflect the edge, skills, and other competencies.
results of the assessment. – Management and leadership development is em-
– Appropriate resources are allocated for audit work bedded within the internal audit activity.
to identify significant issues. • Quality Assurance:
– Work programs to achieve the engagement objec- – A QAIP is in place that covers all aspects of the
tives are developed. internal audit activity and the QAIP effectiveness
• Performing the Engagement: is continuously monitored.
– Engagement processes, including identifying – Internal audit has processes in place to track and
information, analysis, and evaluation, ensure that record progress toward established objectives,
the steps in the audit program developed at the plans, and budgeted resources.
end of the planning phase are completed in an Section III: Communication
effective and efficient manner.
The main elements, along with some of the key objectives,
– Audit techniques, including the use of internal to be assessed in the Communication section include:
audit automation and computer assisted auditing
techniques, are used as appropriate to provide • Audit Engagement Reports:
assurance that work is performed efficiently and – The final report presents the purpose, scope, and
effectively. significant findings, including the causes and
effects, conclusions, recommendations, and the
– The evidence gathered substantiates the audit
engagement client’s action plans to address the
findings and establishes the cause and effect of
issues outlined.
issues identified as needing improvement.
– An effective process is in place to ensure that
– Information acquired when the audit is conduct-
the audit results are presented to the appropriate
ed is described and retained in working papers to
level of management timely for discussion and
clearly document the audit process and identify
response.
findings.
– Reports are provided to and/or are reviewed by
– Audit records are appropriately maintained.
senior management and the board.
– Audits are appropriately supervised for profes-
– The form and content of audit communications
sional development and to provide assurance that
meet stakeholder expectations.
due professional care is applied.
– The phrase “conducted in accordance with the

Standards” is utilized only under appropriate cir-
cumstances.
• Follow-up Phase:
– An appropriate follow-up process to ensure that
management actions have been effectively imple-
mented has been established and is being main-
tained.
• Stakeholder Communications:
– The internal audit activity’s communication prac-
tices inform the board and appropriate stakehold-
ers of work undertaken.
– A performance management and measurement
process is in place to ensure that the effective-
ness of the internal audit activity is optimized and
recognized.
– Engagement client satisfaction with the audit
process is measured by the internal audit activity,
including the level of professionalism demon-
strated by the internal auditors and opportunities
for improvement.
– The extent of satisfaction of other stakeholders
with the internal audit process and products is
measured (this may include a self-assessment
questionnaire and a satisfaction survey for en-
gagement clients).
– The role and services offered by internal audit are
understood by stakeholders and considered to be
value-added.
Appendix D:
Sample Element Self-assessment Methodology
Example Section II — Professional Practice
Element: Risk-based Audit Planning
Objective: An effective annual planning process exists including appropriate processes for the reporting of progress toward the established plan.
(Refer to objective on page 22.)
Draft Criteria Preliminary Methodology IIA Standard
A process is in place and is used to develop the annual In consultation with internal audit, determine the audit plan
internal audit plan to verify that: development process used (obtain any process documentation
• All organizational components, programs, and available).
activities were considered. Review any minutes or follow-up correspondence/confirmations
• Senior management was involved in the process. of planning process meetings and verify:
• The plan was prepared timely and distributed to the • Attendance by all parties to the process.
appropriate levels of management. • Input was requested from all stakeholders.
• The plan from the previous fiscal year was reviewed to identify
any engagements not yet completed for consideration for the
current year’s plan. 2010
• A formal risk analysis and assessment of all suggested
projects was performed and documented.
• Organizational components, programs, and activities were
considered.
• A draft annual plan was presented to senior management and
the board and subsequently approved.
• The distribution list for the draft annual plan as well as the
approved audit plan.
Note: Tool 19 in the Quality Manual may be useful as a source of potential criteria.
Element: Risk-based Audit Planning
IIA
Draft Criteria Preliminary Methodology
Standard
A process for selection of engagements to be conducted is Review last year’s plan and results.
documented and includes criteria such as:
Review annual report on progress made from previous fiscal
• Past audit coverage and results. year.
• Materiality.
Review documented risk analysis and assessment to
• Significance to management. determine criteria applied.
• Risk (based on a standardized methodology).
Confirm that justification was documented for engagements 2010
• Auditability. cancelled or deferred that were either brought forward from
• Engagements not completed from the previous year’s plan. last year’s plan or were proposed in the current year process. 2050
• Organizational priorities. Review approved annual plan to determine engagements to
• Opportunities for improvement. be conducted.
• Legislative or other mandated obligations. Review the process used to ensure that a formal risk
analysis and assessment of all suggested projects was
performed and documented.
For each audit selected for the plan, the plan provides: Review the annual plan to confirm that all required details
• A clear indication of the objective and scope. have been incorporated.
• An estimate of resource requirements, in terms of direct Compare the details approved to the relevant details on a
2030
time, to conduct the engagements. sample of audit planning memorandums, and document any
• The number of auditors and the skills required. variances.
Determine that variances were accounted for and approved.
The process for tracking the progress made in support of the Through interviews, determine and document the process for
annual plan results in reports that: reporting on progress against the annual plan.
• Provide an objective statement describing each Compare monthly status reports to the annual plan.
engagement, and indicate the status by showing key 2020
deliverable dates, designated contacts, as well as relevant Review documentation on presentations made to senior
narrative comments. management and the board. 2060
• Are timely, accurate, and disseminated to the appropriate
Assess effectiveness of the process in achieving the criteria
levels of management.
addressed.
Reports prepared on the results achieved in support of the Interview members of senior management and the board to
annual plan are appropriately used for decision making, and determine the utilization of monthly status reports content. 2020
resources are appropriately utilized.
Review minutes or emails regarding any pertinent meetings. 2060
Appendix E:
Sample Template for Performing Self-assessments
Title Instructions/Description Assessment/Remarks
QAIP Objective The objectives as identified in each component of the QAIP should be listed
here. Additional objectives also may be added as necessary.
For example (using Appendix D):
An effective annual planning process exists including appropriate processes

for the reporting of progress toward the established plan.
QAIP Criteria The audit criteria from the QAIP for each objective should be listed here.
Additional criteria also may be added. Criteria should be clear, relevant,
reliable, and complete. Ensure that they are reasonable and attainable and
that they provide a basis for developing observations and conclusions.
For example (using Appendix D):
A process is in place and is used to develop the annual internal audit plan to
verify that:
• All organizational components, programs, and activities were considered.
• Senior management was fully involved in the process.
• The plan was prepared timely and distributed to the appropriate levels of
management.
Quality Assessment Quality assessment procedures or methodologies should be developed

Procedure/ for each QAIP criteria. These methodologies are the procedures that an
Methodology assessor should perform to verify whether criteria are met.
Title Instructions/Description Assessment/Remarks
Control Point By establishing a control point, an assessor would be able to know which
of these criteria or procedures are more important than the others, and
prioritize the criteria, quality assessment procedures, and results.
Using the list of criteria above, identify which of the criterion are critical for
the achievement of this objective.
For example:
It is critical that all organizational components, programs and activities have

been considered in the development of a risk-based audit plan, otherwise
the plan may be inaccurate as a result of not considering all potential risk
elements. However, although important, even if the plan was not prepared
on a timely basis and was not distributed to the appropriate levels of
management once approved, the organization could still have a reasonably
effective annual planning process in place.
Working Paper File It is necessary to keep track of the working paper file references when
Reference performing the quality assessment on the internal audit activity. By
doing so, the assessor would be able to ensure that the working papers
file is appropriately maintained and administered in support of the audit
observations and findings.
Criteria Met By performing the quality assessment procedures identified, the assessor
will be able to determine if the criteria have been met. The assessor should
simply qualify the response by using Yes, No, or Partially.
Assessor’s Comments An assessor should provide comments for any unmet or partially met
criteria.
Assessment/Rating Provide an assessment of the objective/criteria based on the assessment

scale adopted by the organization.
Appendix F:
Definition of Internal Auditing
Internal auditing is an independent, objective assurance
and consulting activity designed to add value and improve
an organization’s operations. It helps an organization ac-
complish its objectives by bringing a systematic, disci-
plined approach to evaluate and improve the effectiveness
of risk management, control, and governance processes.
Appendix G: 1.3. Shall not knowingly be a party to any illegal activity,

or engage in acts that are discreditable to the profes-
Code of Ethics sion of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and
Principles ethical objectives of the organization.
Internal auditors are expected to apply and uphold the
2. Objectivity
following principles:
Internal auditors:
1. Integrity 2.1. Shall not participate in any activity or relationship
The integrity of internal auditors establishes trust and that may impair or be presumed to impair their un-
thus provides the basis for reliance on their judgment. biased assessment. This participation includes those
activities or relationships that may be in conflict
2. Objectivity with the interests of the organization.
Internal auditors exhibit the highest level of professional 2.2. Shall not accept anything that may impair or be pre-
objectivity in gathering, evaluating, and communicating sumed to impair their professional judgment.
information about the activity or process being examined. 2.3. Shall disclose all material facts known to them that,
Internal auditors make a balanced assessment of all the if not disclosed, may distort the reporting of activi-
relevant circumstances and are not unduly influenced by ties under review.
their own interests or by others in forming judgments.
3. Confidentiality
3. Confidentiality Internal auditors:
Internal auditors respect the value and ownership of infor- 3.1. Shall be prudent in the use and protection of infor-
mation they receive and do not disclose information with- mation acquired in the course of their duties.
out appropriate authority unless there is a legal or profes-
3.2. Shall not use information for any personal gain or
sional obligation to do so.
in any manner that would be contrary to the law or
detrimental to the legitimate and ethical objectives
4. Competency
of the organization.
Internal auditors apply the knowledge, skills, and experi-
ence needed in the performance of internal audit services. 4. Competency
Internal auditors:
Rules of Conduct 4.1. Shall engage only in those services for which they
1. Integrity have the necessary knowledge, skills, and experi-
Internal auditors: ence.
1.1. Shall perform their work with honesty, diligence, 4.2. Shall perform internal audit services in accordance
and responsibility. with the International Standards for the Professional
Practice of Internal Auditing.
1.2. Shall observe the law and make disclosures expect-
ed by the law and the profession. 4.3. Shall continually improve their proficiency and the
effectiveness and quality of their services.
Authors:
Sally-Anne Pitt, CIA, CGAP
Gibby Armstrong, CIA
Jacques Lamothe, CIA
Judy Grobler, CIA
Max Haege
Reviewers:
Archie Thomas, CIA
Shannon Sumner
Bonnie Glasier, CIA
Takuya Morita, CIA
David MacCabe, CIA, CGAP
James Alexander, CIA
Carlos Reyes Balza, CIA, CRMA
Don Sparks, CIA
Narendra Aneja, CIA
Erich Schumann, CIA
guidance.

247 Maitland Ave. F: +1-407-937-1101
120606
– Practice Guide
Reliance by
Internal Audit on Other
Assurance Providers
DECEMBER 2011
Table of Contents
Introduction.................................................................................................... 1
P rinciples for Relying on the Work of Internal or External
Assurance Providers....................................................................................... 4
Relying on Internal Assurance Providers......................................................... 6
Relying on External Assurance Providers....................................................... 10
Appendix A: Services Provided by External Assurance Provider..................... 13
Appendix B: Guide for Internal Auditors to Assess the
Reliability of Other Assurance Providers........................................................ 17
Glossary ...................................................................................................... 21
About the Authors and Reviewers................................................................. 26
www.globaliia.org/standards-guidance / B
Executive Summary 4. Elements of Practice.

5. Communication of Results and Remediation.
Chief audit executives (CAEs) are charged with providing
assurance on the adequacy of governance, risk manage- The principles are interdependent. To illustrate, the CAE
ment, and related internal controls. This gives manage- would place higher value on assurance providers who
ment and an organization’s governing body, including the commit to a common purpose, convey objective expertise,
audit committee, an assessment of risk, governance, and and practice rigor and monitoring to shorten the time to
control processes and practices across the organization, management action. The results of these other assurance
rather than a series of audit reports on individual areas of providers can be integrated with the work of internal audit
the organization. Since the risk profile is in a perpetual to communicate a comprehensive opinion to key stake-
state of change, internal audit functions are challenged in holders. The guidance gives a process for valuing the work
meeting this expectation using traditional, point-in-time, of others and assessing the reliability of assurance pro-
or cycle audit methods and resources. viders. In turn, good coordination attracts greater reliance
on internal audit decreasing the cost of compliance and
Ever-increasing compliance requirements and business increasing the efficiency for providing assurance.
complexity have driven companies to establish or procure
other risk management and assurance functions. They
are charged with measuring and reporting risk, identify-
Introduction
ing control gaps, tracking remediation, and concluding 1.1 Introduction
whether control processes are operating effectively in spe- Internal audit is charged by the International Standards for
cific areas. Examples of some internal assurance providers Professional Practice of Internal Auditing (Standards) with
are identified as environmental compliance groups, qual- providing assurance on the adequacy of governance, risk
ity management functions that focus on manufacturing management, and related controls. In many organizations,
activities, internal control teams that assess controls over management has established (or engaged a third party to
financial reporting, and IT governance groups. External provide) other assurance functions — such as in the ar-
assurance providers are often engaged to communicate eas of IT projects, manufacturing quality, environmental
an opinion to another auditor regarding specific control health and safety, controls over financial reporting, and
objectives operated by a service provider. These activities other regulatory compliance. The purpose of this practice
provide assurance on the areas they assessed and recom- guide is to provide ideas and ways to leverage the work
mendations to strengthen the related controls, often in of other assurance providers, whether the assurance is
areas that are within the scope of internal audit’s work. provided internally within the organization or externally
to minimize duplication of work and disruption to the op-
This practice guide provides guidance to the CAE and in- eration, provide enhanced coverage, and conserve audit
ternal audit leadership on an approach for relying on the resources for high-risk processes.
assurance provided by other internal or external assurance
functions. A continuum of five principles determines the
extent of reliance: Standard 2050: Coordination
The chief audit executive should share information and coordinate
1. Purpose. activities with other internal and external providers of assurance
2. Independence and Objectivity. and consulting services to ensure proper coverage and minimize
3. Competence. duplication of efforts.
An added value to the organization of coordinating the “A department, division, team of consultants, or other
activities of the various assurance providers is limiting du- practitioner(s) that provides independent, objective assur-
plicate work. Multiple audits or examinations of the same ance and consulting services designed to add value and
risks and testing of the same controls by multiple assur- improve an organization’s operations. The internal audit
ance providers is an unnecessary burden on process own- activity helps an organization accomplish its objectives by
ers and an inefficient use of resources. If one assurance bringing a systematic, disciplined approach to evaluate
provider, such as internal audit, can rely on the work of and improve the effectiveness of governance, risk man-
another, the value is clear. agement, and control processes.”
1.2 Who are assurance providers? It is noteworthy that this definition emphasizes objective
IIA Practice Advisory 2050-2: Assurance Maps describes assurance and does not reference an expectation for de-
three classes of assurance providers, differentiated by the livering audit reports or ensuring compliance. Tradition-
stakeholders they serve, their level of independence from ally, internal auditors spend a significant amount of time
the activities over which they provide assurance, and the performing direct inspection audits, but there are other
robustness of that assurance: ways to provide assurance. The typical organization has
a number of different groups who provide risk manage-
A. Those who report to management and/or are part ment, compliance, and assurance activities independently
of management (management assurance), including of one another. In many cases these groups are testing
individuals who perform control self-assessments, controls deeper and with greater frequency than the inter-
quality auditors, environmental auditors, and other nal auditor. Without effective coordination and reporting,
management- designated assurance personnel. work can be duplicated or key risks may be missed or mis-
B. Those who report to the board, including internal judged. By adopting a more integrated assurance model
audit. that includes the internal auditor relying on the work of
C. Those who report to external stakeholders (such as others, several benefits accrue to the organization. These
external audit assurance, which is a role traditionally include:
fulfilled by the independent/statutory auditor). • More precise assurance by involving greater subject
The IIA defines assurance as an objective examination of matter expertise in audit activities. For example,
evidence for the purpose of providing an independent as- reliance on an environmental compliance group with
sessment on governance, risk management, and control specialized knowledge and certifications in the field
processes. The level of assurance desired, and who should of environmental regulations may improve the level
provide that assurance, will vary depending on the risk of insight into operations and the quality of assur-
and stakeholder expectations. The scope of the internal ance provided.
audit function covers the entire organization, including • Reduced redundancy of effort (audit once, audit
risk management processes (both their design and oper- well) and ‘audit fatigue’ for the organization.
ating effectiveness), and the management of those risks • Expanded coverage of the enterprise without increas-
classified as “key” or significant (including the effective- ing direct audit hours. (Reliance on others may allow
ness of the related controls). internal audit to reduce the hours spent in that area
and allocate them to other risk areas.)
1.3 Benefits
• Shortened time to management action. For example,
The IIA’s Standards define an internal audit activity as: the other assurance provider may have continuous
monitoring methods in place, or management may Since external and internal assurance providers and the
have integrated responses to issues detected by other internal auditor may have different purposes, it is impor-
assurance groups into routine business processes. tant to manage expectations beforehand regarding the
• Strategic collaboration, transparency, and better gov- purpose of the review, the objectivity and competence of
ernance for meeting organizational objectives result- the evaluator, the rigor of the assessment and testing pro-
ing in predictable compliance. When all the groups cesses, and the timeliness of the conclusion.
involved in assurance cooperate and share informa-
tion, insights, and best practices, the quality of the 1.5 Opportunity
whole effort is likely to rise. Other sources or forms of assurance can advance innova-
Reliance on other assurance groups may enable the CAE tive models for communicating assurance as an alterna-
to redirect scarce audit resources to other areas of sig- tive to the traditional inspect-and-report model. Practices
nificant risk to the enterprise. For example, the audit plan such as continuous monitoring, self-reported issues, and
may be expanded to include additional strategic risks, or macro-assurance planning are designed to assess and
risks in connection with mergers and acquisitions, major strengthen internal controls by identifying issues prompt-
IT and other initiatives and capital programs, and research ly and reducing the time to management action:
and development processes. • Continuous Monitoring: Monitoring controls to de-
tect potential failures, or transactions to identify pos-
The IIA’s Practice Guide, Coordinating Risk Management sible errors and defects, enables management to see
and Assurance, advises the CAE to help in the creation and respond to risk early, as it emerges. Continuous
of an assurance map for the organization to create a more monitoring reduces the time to action, sustains the
connected assurance and governance community. Assur- resolution, and extends assurance. When manage-
ance maps help identify duplication and overlap in assur- ment has continuous monitoring practices in place,
ance coverage, define scope boundaries and roles for vari- internal audit may be able to assess the programs and
ous assurance providers and determine gaps in assurance then rely on them as part of a continuous auditing or
coverage that need to be addressed. assurance program.
• Self-reported Issues: This practice empowers man-
1.4 Risk agement to raise issues and track remediation to
Relying on other assurance providers, however, can add advance corrective action. Internal auditors gain
audit risks such as: comfort when management promptly addresses root
• Missing a control weakness or deficiency and reach- causes for the self-reported issues.
ing the wrong conclusion due to defects in the work • Macro-assurance: Pervasive themes can be high-
or coverage of the other assurance provider. lighted by comparing and trending common issues
• Failing to identify issues that are not shared by the raised by the governance community. Coordinating
other assurance provider due to their lack of inde- principle-based assessments performed by other as-
pendence from management. surance providers in sequence with internal audit en-
gagements could give an over-arching macro-opinion
• Raising as an exception and issuing a matter out of across multiple entities or processes.
context that would not ordinarily be considered sig-
nificant by internal audit, due to differences in risk In addition, efficiency and effectiveness of overall assur-
assessment processes. ance activities may be improved when common tools are
used by the internal auditor and other assurance provid- 2.2 Five Principles in Determining Reliance
ers. For example, multiple assurance functions can use
The extent of reliance to be placed on the other internal
an integrated platform to manage the assessment process,
or external assurance providers depends on the following
share results, and track remediation of significant issues.
five principles:
The sharing of schedules and plans, and the results of as-
1. Purpose: The assurance provider is clear in purpose
sessments, can avoid duplicate work. It also can highlight
and committed to providing assurance on a specified risk
areas of increased risk. For example, multiple compliance
area and their work is relevant to internal audit’s objec-
issues raised by other assurance groups (such as noncom-
tives and scope. This is a fundamental principle which
pliance with trade compliance regulations) may indicate
must be in place before proceeding further with an evalu-
a need to address entity-level controls (such as the avail-
ation to determine reliability. For internal providers, the
ability of experts in trade compliance regulations).
purpose should be established in a charter or other similar
documentation. For external providers this should be pro-
Principles for Relying on the vided for in a contract or statement of work.
Work of Internal or External 2. Independence & Objectivity: The professional judg-

Assurance Providers ment of the assurance provider is impartial, without in-
appropriate interference from others. The assurance pro-
2.1 Prior Guidance vider should demonstrate a sufficient degree of objectivity
The CAE can look to several authoritative sources for in the course of its work. Although internal assurance
guidance on how the internal auditor may rely on the providers often report to management and thus are not
work of others. The IIA’s Practice Guide, Formulating and truly independent, they can be relied on when they dem-
Expressing Internal Audit Opinions (April 2009), defines onstrate appropriate objectivity and competence.
other assurance providers and provides guidance for a
CAE to assess their competency, independence, and ob- 3. Competence: The assurance provider is knowledge-
jectivity. able of the risks to the organizational processes, how con-
trols are designed to operate in response to the risks, and
According to The IIA’s Practice Advisory 2050-3: Relying what constitutes a weakness or deficiency. Characteristics
on the Work of Other Assurance Providers, the decision to of proficiency for internal or external assurance providers
rely on the work of other assurance providers can be made include organizational process expertise, education level,
for a variety of reasons: professional experience, relevant professional certifica-
tions, continuing education, and the assurance provider’s
• To address areas falling outside of the competence of
reputation for sound judgment.
• To gain knowledge transfer from other assurance 4. Elements of Practice: The assurance provider has
providers. established policies, programs, and procedures and fol-
• To efficiently enhance coverage of risk beyond the lows them. In execution, assurance work is appropriately
audit plan. planned, supervised, documented, and reviewed. Results
are based on persuasive evidence sufficient to support the
level of assurance. They also should have the authority to
access sufficient information to reach a conclusion.
5. Communication of Results & Impactful Reme- factors in balancing lower objectivity and establishing
diation: The assurance provider communicates results reliance.
and ensures management takes timely action. Weak-
nesses and deficiencies are reported to the person directly Competence: Assurance providers can bring a high level
responsible for taking corrective actions and to the mem- of expertise relevant to the specific business process while
bers of management that have oversight responsibilities. exercising sufficient objectivity. Although internal auditors
Ongoing monitoring ensures the resolution is sustained provide a high degree of objectivity, they may not have the
as intended. Rigorous process and persuasive and reliable depth of knowledge needed to provide the desired level of
communication results in prompt corrective action. In assurance in certain organizational processes or technical
turn, management action validates an effective assurance areas.
process that internal audit can place greater reliance on.
Elements of Practice: The external and internal assur-
ance providers’ discipline to practice standard procedures
High Reliance
is directly related to their capability for timely and persua-
sive conclusions. Consistency and rigor in practice should
Elements of Practice
raise the internal auditor’s confidence in the assurance

Competency
provider’s work.
Objectivity
Impact
Level
of Risk Impact: Internal assurance providers who are in close
proximity to the business process may communicate risk
and influence management to remediate control deficien-
cies quickly, perhaps more quickly than would a tradi-
tional internal audit. By monitoring risk and responding
Purpose promptly, internal assurance providers may shorten the
Low Reliance time to management action.
Assessment of each factor plus consideration
of risk determines reliability These principles are interdependent and operate at differ-
ent levels, proportionate to risk. The internal auditor must
The application of these principles is further described in evaluate each of these principles in relation to each other
this diagram. The upward arrows depict a continuum. As and to the overall risk of the relevant processes to arrive at
the assurance provider puts these principles into practice, a decision on whether to and how much to rely on another
the CAE can place higher reliance on the provider’s work. source of assurance provided outside of internal audit. For
example, an assurance activity that has a clear purpose
Purpose: When the assurance provider is committed and and is found to be objective and competent, but does not
its purpose is aligned with internal audit’s objectives, au- effectively communicate results or affect constructive
ditors will find the work more relevant. change, would likely lead the CAE to rely on it to a much
lesser extent. It also is important to note the positive role
Objectivity: The assurance provider can demonstrate the internal audit function can play in raising the perfor-
credibility and deliver value to the internal auditor even mance bar for other assurance providers through sharing
where independence is lacking. The assurance provider’s of best practices and insight into risk management, con-
competence, elements of practice and impact are key trols, and audit principles.
Relying on Internal • Objectivity.

• Technical competence.
Assurance Providers • Due professional care.
3.1 Who are Internal Assurance Providers? • Regular communication.
Internal assurance providers (other than the indepen- IAS 620, Using the Work of an Auditor’s Expert, names
dent internal audit function) are groups that may report competence, capability, and objectivity as essential factors
to the board, management, or are part of management. when considering reliance on the work of others’ exper-
These members of the governance community may con- tise. Competence relates to the nature and level of exper-
duct control self-assessments, continuous monitoring tise of the auditor’s expert. Capability relates to the ability
and compliance inspections, quality audits, or a variety to exercise that competence in carrying out the engage-
of other activities by other names which are designed to ment. Objectivity relates to the possible effects that bias,
provide assurance of achievement of some key organiza- conflict of interest, or the influence of others may have on
tional objectives or requirements. Organizationally, these the expert’s judgment.
individuals and groups may report to the legal department
(common for regulatory compliance functions); finance Similarly, the U.S. Public Company Accounting Oversight
(common for financial reporting control focused or regu- Board (PCAOB), a private corporation that oversees the
latory compliance functions); information security (com- auditors of public companies in the United States, has
mon for security functions under the chief information provided guidance1 to external auditors on relying on the
officer); environmental, health and safety; or to any op- work of others. The same principles and considerations
erational unit that has decided to invest in a compliance should be applied in relation to internal audit relying on
program. All of these are groups the CAE should consider the work of others. The level of reliance should be based
when developing audit plans with the potential to rely on on a careful evaluation of the competence, practices, and
their work. objectivity of the persons whose work the auditor plans to
rely. A higher degree of competence and objectivity results
3.2 Considerations for Internal in greater reliance.
Assurance Provider
The International Accounting Standards Board (IASB) is For purposes of relying on the work of others, the PCAOB
an independent accounting standard-setter with the ob- defines competence as the attainment and maintenance
jective of establishing globally accepted financial report- of a level of understanding and knowledge that enables a
ing standards based on clear accounting principles. The person to perform assigned tasks. Objectivity means the
IASB gives guidance on using the work of component ability to perform those tasks impartially and with intel-
auditors, internal auditors, and auditor’s experts in Inter- lectual honesty. When assessing the internal assurance
national Standard on Auditing (IAS) Nos. 600, 610, and provider’s competence, the CAE should evaluate such
620, respectively. IAS 610 describes the following factors factors as:
that primarily affect the external auditors’ determination • Educational level and professional experience of
for using the work of internal auditors: staff.
1 Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements; PCAOB Release No. 2007-005A; AU
Section 322 — The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements
• Professional certification and continuing education. • Sufficient expertise regarding the organizational
• Audit policies, programs, and procedures. process and risk.
• Supervision and review of staff activities. • Disciplined, repeatable processes.
• Quality of workpaper documentation, reports, and • Communication of results, risks, or control concerns
recommendations. and remediation tracking.
• Evaluation of staff performance. It also is critical to understand the scope of assurance work
performed by an internal assurance provider and how it
Assessing the objectivity of other assurance providers can may fit into the internal auditor’s assurance objectives and
be a challenge as most of these groups report to manage- audit plans. Even though internal audit can bring value to
ment and not an independent body such as the audit the enterprise through objective quality reviews of inter-
committee of the board of directors, supervisory board, or nal assurance and compliance functions, there is limited
head of an agency. There are several factors the CAE may value if this work does not extend coverage and help the
consider when determining if the assurance group dem- CAE provide greater assurance to its stakeholders.
onstrates sufficient objectivity to be relied on:
• The reporting lines for the other assurance group and 3.4 A Process for Relying on the Work
the level of management to which they report. of Others
• Whether the scope of work, including the tests per- The internal auditor should develop a consistent process
formed or the assessment and reporting of the other for how it will place reliance on the work of others. The
assurance provider are inappropriately influenced by following is a basic approach that has been successful for
management. some internal audit functions. It involves the basic steps
• Policies and practices preventing the assurance of identification, evaluation, adjustment, and monitoring.
provider from auditing areas where the individuals
involved have current or recent operational responsi-
bilities.
Identify
• The internal auditor’s assessment of the quality of
work performed by the assurance function, including
fact-based conclusions, reporting, and follow-up to
identified issues. Monitor Evaluate
3.3 Know When to Rely and Not to Rely

Before investing any significant time in evaluating a par- Adjust
ticular internal assurance function, the CAE can consider
some key factors to determine the extent of potential reli-
ance. These include: Identify — Locate internal assurance groups and deter-
mine maturity and priority based on preliminary assess-
• A charter or similar statement of clear objectives and ment. In large, complex enterprises this can be a chal-
well-defined responsibilities. lenge. If an organization has an enterprise risk management
• Objective reporting relationships and/or conflicting process, this can be a good single source for identifying
operational duties. additional groups. As other assurance providers are identi-
fied, the internal auditor also must consider how their surance internal audit provides management, and where
scope fits into internal audit’s own view of the overall risk there are opportunities to reduce internal audit’s own test-
and control environment and the potential benefits for ining. Internal audit should communicate expectations, ob-
tegrating these assurance activities. Priorities should be jectives, and responsibilities in a memo of understanding
based on a measurable value to the organization. This val- with other assurance providers regarding the portion of
ue includes expanding coverage and minimizing fatigue their work that will be relied on.
caused by redundant audit activities.
Monitor — Maintain close communication with each
Evaluate — Perform an evaluation of individual groups group, sharing risk assessments, audit plans, and results.
to determine the extent the internal auditor can rely on It is important to establish strong communication and
the work of others. This is the most critical and time-con- sharing protocol following the evaluation of the assurance
suming phase of the reliance model, where internal au- providers. This will help ensure the most efficient and ef-
dit carefully considers the competency and objectivity of fective use of internal audit resources as well as maintain
the assurance work performed by others. This evaluation confidence in relying on the work of the other providers.
also can bring value to the enterprise by providing rec- A re-evaluation of the assurance providers should be per-
ommendations to improve the effectiveness of assurance formed on a periodic basis (see section 3.6).
activities. As the evaluation is concluded, there should be
a clear communication of how internal audit intends to 3.5 Reliance Continuum: Levels of Value
use the assurance work on an ongoing basis. Additional The value the internal auditor can derive from an effective
guidance is provided below on how to evaluate the assur- partnership with other assurance groups will vary. There
ance provider. is a continuum of reliance moving from one side of the
spectrum, where the auditor determines the work of the
Adjust — Modify audit plans and scope to eliminate du- other assurance provider is useful but places little reli-
plicative testing and expand risk coverage. To realize the ance, moving across the spectrum to where an assurance
full value from a more integrated assurance model, careful provider is fully relied on.
consideration must be carried out to determine how these
other activities can be used to bolster the independent as-
High Reliance
Low Reliance
• Program commitment • Common purpose • Common purpose • Integral purpose/priority

• Broad expertise • Process expertise • Process expertise • Technical expertise
• Assess and report risk • Inspection discipline • Repeatable testing • Rigorous practice
• Point-in-time • Issue tracking • Sustained remediation
conclusion • Analytics • Continuous monitoring
• Communicate emerging
risk
At a minimum, an effective assurance or compliance

function should be regularly assessing and communicat- Considerations for the CAE – A Case Study
ing risk for its area of responsibility. If the risk assessment Complex and business critical processes compel an approach for rely-
process is determined to be sound, it can provide valuing on other assurance providers:
able information to help the internal auditor develop audit A global provider of computer products and services relies on a
plans and priorities. complex and multichannel sales process involving thousands of
third-party distributors around the world. Effectively managing this
More robust assurance functions, which begin to incor- mix of sales channels can be a competitive advantage and is es-
porate periodic testing of controls, may allow the internal sential for the long-term success of the business. Management has
auditor to rely on their conclusions at a particular point implemented numerous control processes to mitigate a range of risks
in time. As these assessments become more frequent and inherent in this area. Some examples of risk include compliance (e.g.,
extensive, the internal auditor may be able to place more doing business with restricted parties), financial (e.g., unprofitable
reliance and further reduce the depth or frequency of its sales discounting), and operational (e.g., non-standard and inefficient
own testing. processes).
Based on management’s assessment of the risks and identified control

Finally, where an effective assurance program is coupled weaknesses, management has invested in a compliance program that
with reliable monitoring mechanisms embedded at the includes regular self-assessments by trained, objective assessors
control level, the internal auditor may place the maximum outside of internal audit, who test the operating effectiveness of key
degree of reliance and confidence in the activity. controls, report findings, and recommend corrective actions. Internal
audit provided consultation to help management develop the control
3.6 Importance of Periodic Evaluation of the framework and key compliance program elements with the intent to
Other Assurance Provider rely on this work. This model promoted management ownership of risk
and control and more frequent monitoring and testing of controls than
Where internal audit will rely to any measurable extent the internal audit function could realistically provide due to resource
on the work of other assurance providers, regular assess- constraints and other enterprise risks to be monitored.
ments should be made of the assurance providers’ pro-
grams. This is a critical element for internal audit to in- Once the compliance program was implemented and stabilized,
clude in any reliance model to mitigate the risks described internal audit performed a review to validate that it was operating
earlier (see section 1.4). These assessments should ad- as intended, providing factual and objective assurance and driving
dress the continued adequacy of the assurance providers’: positive change in the business. As part of the review, internal audit
also connected the compliance program scope with the audit plan and
• Objectivity. determined how and when the work would be leveraged, and agreed
• Competence. with management on how the two groups would communicate on a
regular basis, share information, and collaborate to form a trusted
• Practices. partnership.
• Communication that enacts change.
Internal audit has significantly reduced the frequency and depth of
their control testing, which is now covered by management’s compli-
The assessment should include performing tests suffi-
ance process, and has been able to focus on other areas historically
cient to provide objective evidence supporting the reliance
not audited such as product lifecycle management, strategic sourcing,
placed by internal audit. Opportunities for improving the and IT project management.
work of the other assurance provider should be reported,
consistent with standard internal audit practices.
Relying on the Work of fairness and accuracy of financial statements; performing

performance audits to give assurance that appropriate val-
External Assurance Providers ue for money is being achieved from various activities and
projects; conducting reviews of compliance with laws and
4.1 Introduction regulations; assessing the effectiveness of internal con-
A wide variety of external groups provide assurance ser- trols over financial reporting; and attest to engagements
vices to organizations worldwide to ensure that internal covering system security, availability, processing integrity,
controls and risk management procedures are in place confidentiality, and privacy.
and operating effectively. External assurance providers
also provide these services at third-party service organiza- Consulting companies – provide many services simi-
tions for the benefit of the service organization and their lar to those of public accounting firms mentioned above.
respective business clients. The purpose of this section is However, they are not licensed or registered to issue an
to examine some of the services offered by external assur- opinion on the fairness of financial statements.
ance providers and discuss key areas that the CAE should
consider before placing reliance on their work. Legal firms – provide services to help organizations and
third-party service providers to assess compliance with
4.2 Who Are External Assurance Providers? various laws and regulations in jurisdictions where they
do business. Legal firms also bring a wealth of knowledge
Common external assurance providers include public ac-
when assisting organizations in completing privacy and le-
counting firms, government auditor general offices, con-
gal risk assessments.
sulting companies, legal firms, security organizations, and
internal audit departments of third-party service provid-
Security organizations – provide specialized assurance
ers. The following provides a description of each.
services such as validating compliance with requirements
of the Payment Card Industry Data Security Standards
Public accounting firms – provide many assurance
(PCI-DSS) as a qualified security assessor (QSA), con-
services such as opining on the fairness and accuracy of
ducting network penetration assessments, and perform-
financial statements; performing International Organiza-
ing system vulnerability assessments for security patches,
tion of Standards (ISO) certification reviews to ensure that
viruses, and fixes. They also provide services related to
an organization conforms to the requirements specified in
fraud and IT risk assessments.
an ISO standard; conducting reviews of compliance with
laws and regulations; assessing the effectiveness of inter-
The internal audit function of service providers —
nal controls over financial reporting; reporting on a service
like other internal audit departments, provide many audit-
provider’s privacy program and assessing the protection of
ing and consulting services to ensure that internal con-
personal information; and attest engagements covering
trols are working effectively and efficiently, and verify that
system security, availability, processing integrity, confiden-
management has programs in place to address significant
tiality, and privacy.
IT infrastructure risk, application risk, and business pro-
cess risk relevant to the organization.
Government auditor general offices – provide ser-
vices similar to public accounting firms; however, they
Internal audit functions of user entities – often the
are usually government appointed functions that report to
service organization is contacted by internal audit func-
the overall government rather than to shareholders. They
tions of their customers, user entities, to provide assur-
provide many assurance services such as opining on the
ance regarding a particular service or organizational pro-
cess or to gain visibility throughout a specific time period. the International Organization of Supreme Audit
It’s not unusual for the service organization to be audited Institutions (INTOSAI), and other similar govern-
by multiple user entities. Analyzing the audit results and ing bodies.
issues raised through assessments conducted by user en- • Ensure that the external assurance provider is
tities can provide the service organization with common in good standing with their respective governing
themes providing a unique view to its capability for carry- body and place greater reliance on the work of
ing out control activities consistently. compliant external assurance providers compared
to those not subject to professional standards.
Specific services provided by external assurance providers
can be found in appendix A. • Determine if the external assurance provider is
subject to professional ethics requirements to en-
4.3 Considerations for the CAE When sure the assurance work is performed by qualified
Relying on External Assurance Providers individuals, and done in an objective and inde-
pendent manner.
It is important for management and the CAE to under-
stand the relevance of assurance work completed by ex- • Confirm that due diligence was performed on
ternal assurance providers within the organization. It also the external assurance provider that includes
is important for management and the CAE to have the background checks, financial stability, years in
same understanding if the organization is outsourcing key business, confidentiality agreement, references,
business processes to third-party service providers. The and a review of resumes of provider’s engagement
CAE also must assess the impact their assurance work employees.
may have on the internal audit function. • Obtain evidence, as necessary, to confirm that the
individuals performing the work meet competen-
For information on the role of the CAE in sharing information cy and experience requirements, that the work is
and coordinating activities with other providers of assurance performed and supervised consistent with quality
and consulting services, refer to The IIA’s Practice Guide on standards, and that the assessment and report are
Co-coordinating Risk Management and Assurance. free from inappropriate influence from manage-
ment. Consideration should be given to whether
Some common questions are outlined below, along with the assurance provider performs other consult-
points for consideration: ing work for management which might influence
their assurance activities, including whether there
1. Are the external assurance providers sufficiently is either a real or perceived independence and
qualified, objective, and independent to perform objectivity issue.
the necessary assurance work? How much reliance
2. What is the impact to the annual internal audit plan
should the CAE place on the work of external assur-
if the CAE either places reliance or does not place
ance providers?
reliance on the work of external assurance providers?
The CAE should:
The CAE should:
• Determine if the external assurance provider is
• Be aware of the scope, objectives, and findings of
subject to professional performance standards and
the external assurance engagement to determine
guidance such as those prescribed by The IIA, the
the impact to the annual audit plan.
International Federation of Accountants (IFAC),
• Determine if there is duplication of audit cover- • Before additional audit work is planned by the
age as a result of the engagement. Alternatively, organization’s third-party service provider(s),
the CAE should determine if there are coverage identify the right-to-audit clauses contained in the
gaps in the engagement that may require addi- service agreement with the service provider.
tional audit work by internal audit.
• If the engagement is performed at the organization, 5. Should internal audit reperform audit work com-
determine if there is an opportunity to co source pleted by external assurance providers?
the engagement, or at a minimum, participate in • The level of expertise brought to the engagement
the tracking of audit findings and resolutions. and the rigor practiced by the other assurance
provider will determine the extent of diligence
• If the engagement was conducted by the organiza-
conducted by internal audit to accept their audit
tion’s third-party service provider, reach out to the
work. In most cases internal audit would not re-
service provider to obtain information about the
perform testing; rather, the CAE should conduct
engagement.
a suitable analysis to determine if the audit work
• Consider the need for any preliminary audit work completed was commensurate with the assertions
prior to the start of the engagement. as intended based on risk, scope, and competence
of the external service providers.
3. Do the objectives and scope of work performed by
external assurance providers address key risks of the • For specialist reviews like penetration and net-
organization? work vulnerability engagements or income tax
consulting, the CAE should understand that this
The CAE should: area is technical in nature, so the skill set of each
• Carefully review and understand the scope and auditor should include a solid background in
objectives of the external assurance engagement network and information security, income taxes,
before determining the impact it may have on or the relevant specialty.
internal audit.
6. Should the CAE pursue co sourcing arrangements
• Keep in mind that an external assurance engage-
with external assurance providers?
ment typically will not cover all the business risks,
key controls, and concerns. • The CAE should consider separate (from manage-
ment) co sourcing arrangements with the external
4. Should internal audit complete additional assurance
assurance provider that would provide the ap-
work to supplement the work of external assurance
propriate skill sets and add to the efficiency and
providers?
effectiveness of the audit engagement.
• An external assurance engagement typically will
Co sourcing arrangements may include preliminary au-
not cover all the risks and exposures related to the
dit work prior to the start of the engagement, conduct-
organization. As such, the CAE and internal audit
ing some audit work during the engagement under the
may have to perform additional audit work based
supervision of the external service provider, and complet-
on its risk assessment.
ing post-audit work to validate on-going compliance and
• Consider the scope, objectives, and results of the remediation efforts.
engagement before finalizing any additional audit
work.
Appendix As a licensed offering, SysTrust engagements are con-

ducted by certified public accountants (CPAs) or char-
Appendix A: Services Provided by External tered accountants (CAs). Many organizations, particularly
Assurance Provider third-party service providers, request this type of engage-
ment to demonstrate to their clients that they are con-
The types of services offered by external assurance ser-
cerned about protecting the information assets entrusted
vice providers include AICPA/CICA SysTrust, ISO/IEC
to them, and addressing business risks and controls asso-
27002:2005 certifications, SSAE 16/ISAE 3402 reviews,
ciated with complex IT systems. These reports also can be
internal audit cosourcing, PCI-DSS assessments, network
used by the service organization in marketing its services
penetration security assessments, vulnerability manage-
to potential clients/customers.
ment reviews, and many other types of services. A descrip-
tion of some of these common services follows:
ISO/IEC 27002:2005
AICPA/CICA SysTrust The ISO/IEC 27002:2005 – Code of Practice for infor-
mation security management is one of a set of Informa-
For example, in North America, SysTrust is a branded as-
tion Security Management System (ISMS) standards
surance service offering licensed by the American Institute
published by the International Organization for Stan-
of Certified Public Accountants (AICPA) and Canadian
dardization (ISO) and the International Electrotechnical
Institute of Chartered Accountants (CICA) Trust Servic-
Commission (IEC). Through the use of these standards,
es Principles and Criteria (Trust Services). Trust Services
organizations can develop and implement a framework for
are professional attestation and advisory services based on
managing the security of their information assets such as
principles and criteria that address risks and opportuni-
financial information, intellectual property, and customer
ties of IT-enabled systems and privacy programs. Specific
and employee personal information. The ISMS family
areas covered in Trust Services guidance include:2
of standards consists of the following international stan-
dards, under the general title of Information technology
• Security – the system is protected against unauthor-
– Security techniques:3
ized access (both physical and logical).
• Availability – the system is available for operation • ISO/IEC 27000:2009, Information security manage-
and use as committed or agreed. ment systems — Overview and vocabulary.
• Processing integrity – system processing is complete, • ISO/IEC 27001:2005, Information security manage-
accurate, timely, and authorized. ment systems — Requirements.
• Confidentiality – information designated as confi- • ISO/IEC 27002:2005, Code of practice for informa-
dential is protected as committed or agreed. tion security management.
• Privacy – personal information is collected, used, • ISO/IEC 27003, Information security management
retained, disclosed, and destroyed in conformity with system implementation guidance.
the commitments in the entity’s privacy notice and
• ISO/IEC 27004, Information security management
with criteria set forth in generally accepted privacy
— Measurement.
principles issued by the AICPA and CICA.
2 Trust Services Principles and Criteria – An Overview, January, 29, 2009, www.aicpa.org/InterestAreas/InformationTechnology/Resources.
3. ISO/IEC 27000:2009, Information technology – Security techniques – Information security management systems – Overview and vocabulary, First edition 2009-05-01, ISO/IEC.
This material is reproduced from ISO/IEC 27000:2009 with permission from the American National Standards Institute (ANSI) on behalf of the International Organization for
Standardization (ISO). No part of this material may be copied or reproduced in any form, electronic retrieval system or otherwise or made available on the Internet, a public network,
by satellite or otherwise without the prior written consent of the ANSI. Copies of this standard may be purchased from ANSI, 25 West 43rd Street, New York, NY 10036, (212) 642-
4900, http://webstore.ansi.org.
• ISO/IEC 27005:2008, Information security risk clients that they have good security practices in place to
management. protect the information assets that are entrusted to them.
• ISO/IEC 27006:2007, Requirements for bodies pro-
viding audit and certification of information security ISO does not audit or assess an organization to validate
management system. that its standards are being implemented in conformity
with the requirements. An external independent certifica-
• ISO/IEC 27007, Guidelines for information security
tion body or ISO registrar conducts the audit to deter-
management systems auditing.
mine if the organization conforms to the requirements
• ISO/IEC 27011, Information security management specified in the standard to obtain certification. There are
guidelines for telecommunications organizations numerous certification bodies (assurance service provid-
based on ISO/IEC 27002. ers) worldwide that carry out certification assessments.
ISO/IEC 27002 provides guidance on the implementa- External service providers performing this type of service
tion of 11 commonly accepted security control objectives include public accounting firms, consulting companies,
along with best practice controls that can be applied to and sole practitioners.
achieve the objectives. The standard also includes com-
ments on risk assessment and treatment. Specific areas SSAE 16/ISAE 3402
covered in the standard include: Third party assurance reviews are normally performed for
• Security policy. organizations that process financial transactions for their
clients or customers. The resulting report is typically used
• Organization of information security.
by internal and external auditors and can potentially re-
• Asset management. duce the amount of work required in their audits. The
• Human resources security. reports describe the service offerings and the control en-
vironment surrounding the processing of customer trans-
• Physical and environmental security.
actions.
• Communications and operations management.
• Access control. ISAE 3402
• Information systems acquisition, development, and The International Standard on Assurance Engagements
maintenance. No. 3402 (ISAE 3402), Assurance Reports on Controls
at a Service Organization, was issued in December 2009
• Information security incident management.
by the International Auditing and Assurance Standards
• Business continuity management. Board (IAASB) under the International Federation of Ac-
• Compliance. countants (IFAC). ISAE 3402 was developed to provide
an international assurance standard for allowing public
Many organizations, particularly third-party service pro- accountants to issue a report for user organizations and
viders, who have adopted the ISO/IEC 27002 informa- their auditors (user auditors) on the controls at a service
tion security management standard, choose to be certified organization that are likely to impact or be a part of the
compliant with the standard through a formal indepen- user organization’s system of internal control over finan-
dent audit. Third-party service providers often use this cial reporting.4 The effective date for this standard applies
certification to demonstrate to current and future business to periods ending on or after June 15, 2011.
4 2011 IAES3402.com, http://isae3402.com/ISAE3402_overview.html
SSAE 16 and substantive tests at the user organization. However,

Statement on Standards for Attestation Engagements they are not intended to provide a basis for reducing as-
(SSAE) No. 16, Reporting on Controls at a Service Or- sessments of control risk below the maximum.
ganization, was finalized by the Auditing Standards Board
Type II: Reports on controls placed in operation and
of the AICPA in January 2010. SSAE 16 replaced State-
tests of operating effectiveness
ment on Auditing Standards (SAS) No. 70, Service Orga-
nizations, as the authoritative guidance for reporting on A service auditor’s report on a service organization’s de-
controls at service organizations. SSAE 16 was formally scription of the controls that may be relevant to a user
issued in April 2010 with an effective date of June 15, organization’s internal controls, whether such controls
2011.5 SSAE 16 is based on the IAASB assurance stan- were suitably designed to achieve specified control objec-
dard for service auditors ISAE 3402. It should be noted tives, whether they had been placed in operation as of a
that the requirements for auditing the financial state- specific date, and whether the controls that were tested
ments of entities that use service organizations remains were operating with sufficient effectiveness to provide
in the auditing standards in a new SAS, Audit Consider- reasonable, but not absolute, assurance that the related
ations Relating to an Entity Using a Service Organization. control objectives were achieved during the period speci-
fied. Such reports may be useful in providing the user
The AICPA is establishing three reporting options to pro- auditor with an understanding of the controls necessary
vide a framework for CPAs to examine controls and to to plan the audit and may also provide the user auditor
help management understand related risks. The Service with a basis for reducing his or her assessments of control
Organization Control 1 (SOC 1) report addresses con- risk below the maximum.
trols for financial statement audits with guidance pro-
vided by SSAE 16. SOC 2 reports on controls related Some common misconceptions about SSAE 16 reports
to compliance or operations with guidance provided by the CAE should be aware of include:
Attestation Standard (AT) Section 101, Attest Engage- 1. All SOC reports contain the same control objec-
ments. Both SOC 1 and SOC 2 reports are restricted use tives. (Control objectives are defined specifically for
reports. SOC 3 reports are the same as a SOC 2 report the environment been attested.)
but general use.
2. SOC reports are “forward-looking” documents.
The AICPA SSAE 16 or ISAE 3402 allows for two
3. Type I vs. Type II reports don’t really make a dif-
types of reports:
ference to my audit planning. (Type I only covers
Type I: Reports on controls placed in operation control design effectiveness and is point in time.
A service auditor’s report on a service organization’s de- Type II covers control operating effectiveness for an
scription of the controls that may be relevant to a user opinion period.)
organization’s internal controls, whether such were suit-
4. Exceptions are not reported. (Any exceptions to the
ably designed to achieve specified control objectives, and
controls are clearly identified in the test tables even
whether they had been placed in operation as of a specific
if it does not rise to the level of being a qualified
date. These reports may be useful in providing a user au-
report.)
ditor with an understanding of the controls necessary to
plan the audit, as well as design effective tests of controls 5. Exceptions have no impact on my audit plan.
5 2011 SSAE16.com, http://ssae16.com/SSAE16_overview.html
(Further testing or compensating controls should be and the impact to the organization and the CAE’s
considered for exceptions.) audit plans
6. Since SOC reports are intended for external auditor- • Determine if control risk will be assessed as low,
to-auditor communication, the report is not relevant moderate, or high.
to internal audit planning. (Using/relying/further • Gain an understanding and test user control consid-
testing of controls covered in the SOC report should erations defined in the report.
be discussed at planning.)
Payment Card Industry –
7. As a professional courtesy, a copy of the SOC Data Security Standard (PCI-DSS)
opinion need only be referenced in the audit plan-
ning file. (A thorough understanding of the scope, The Payment Card Industry Data Security Standard (PCI-
coverage, nature, timing, and extent of testing within DSS) is a set of 12 technical and operational requirements
a SSAE 16 engagement is essential.) established by the PCI Security Standards Council (PCI
SSC) to protect cardholder data. The standards apply to
The CAE of the organization that utilizes third-party ser- all organizations that store, process, or transmit cardhold-
vice providers should consider adopting the following er data. The PCI SSC also provides guidance for software
practices when evaluating the impact of SSAE 16 engage- developers and manufacturers of applications and devices
ments to the organization and the audit plan: used in those transactions. The Council is responsible for
• Obtain all relevant SSAE 16 SOC reports. managing the security standards, while compliance with
the standards is enforced by the founding members of the
• Determine the exact nature of the environment in
Council: American Express, Discover Financial Services,
scope for the report as large service providers can
JCB International, MasterCard, and VISA, Inc.
potentially have many reports.
• Understand “carve-outs” of environments as the The PCI-DSS Security Audit Procedures (SAPs) con-
standard allows service providers to exclude areas or tains more than 230 comprehensive requirements. The
parts of the environment from the scope of work and auditing responsibility is distributed between merchants,
resulting audit opinion. qualified security assessors (QSAs), approved scanning
• Review the independent service auditor’s opinion vendors (ASVs), and acquirers. PCI SSC allows two ac-
type (qualified/unqualified). ceptable forms of auditing of the requirements by either
a qualified security assessor (QSA) or internal security as-
• Review the date of the report(s) and period(s) cov-
sessor (ISA).
ered.
• Determine whether the report is a Type I or Type II. QSA companies are organizations that have been quali-
• If the SSAE 16 report is older than six months, a fied by the PCI SSC to perform detailed SAP assessments
more current report should be requested. If a more and reports on compliance on behalf of the merchant.
current report is not yet available, then management The primary reasons merchants may select a QSA rather
and the CAE should consider the need to perform than performing the assessment internally may include
other audit procedures to obtain comfort over the transaction volume, breadth of industry knowledge, depth
controls at the service provider or request a letter of technical expertise, and an independent view of the en-
from the service provider to bridge the interim. vironment. Other reasons merchants may not use internal
resources may include lack of technical competence, lack
• Document the comfort level with the SOC report
of resources, and to focus resources on more strategic vs. gies that an organization employs to identify, assess, and
compliance efforts. remediate IT vulnerabilities — weaknesses or exposures
in IT assets or processes that may lead to a business risk
ISA is a certification required for organizations performing or security risk. One of the most common attack vectors
internal assessments by their internal audit staff, begin- today is via weak or insecure web application programs.
ning in 2011. The purpose of the ISA certification is to Hackers exploit these weaknesses to gain access into the
ensure internal auditors are provided the same training as unsuspecting organization’s network and systems environ-
the QSAs to improve the quality, consistency, and compe- ment. Awareness and secure coding training is crucial to
tency of the assessments. help mitigate this risk. All programmers, especially web
application developers, should be properly trained on se-
Penetration Tests and Network Vulnerability cure coding techniques.
Management
Organizations continue to be impacted from malicious Penetration tests and vulnerability assessments could po-
breaches resulting in compromised credit card informa- tentially disrupt an organization. Therefore, organizations
tion, social security numbers, medical information, and should determine what is needed to adequately test with
other loss of internal and external customer information the potential of “breaking” or disrupting a component of
at the hands of hacker attacks. Key to proactively com- the infrastructure. A strong program for penetration test-
bating these attacks within an organization is to ensure ing and vulnerability management is imperative for an or-
a strong program for penetration tests and vulnerability ganization to mitigate internal and external threats.
assessments.
In conclusion, services offered by external assurance pro-
Penetration testing, sometimes called “ethical hacking,” viders can be leveraged to provide broader coverage of
mimics the role of a hacker to deliberately attempt to the organization’s key risks when carefully considered be-
break into the network infrastructure to determine vulner- forehand to be relevant to the enterprise. As outlined in
abilities of key components of the company infrastructure the first principle of “purpose,” both external and internal
that could lead to a compromise of critical/sensitive infor- assurance providers are committed to reliance and their
mation. The penetration test should stop short of actually work is relevant to the objective of internal audit, which
negatively impacting the environment. applies to operational, regulatory, or financial reporting. It
is vital to communicate expectations, objectives, and re-
Penetration tests are not only an imperative practice for a sponsibilities with the other assurance provider regarding
strong information security program, but are required to the portion of their work that will be relied upon.
comply with several regulations and requirements. For ex-
ample, PCI-DSS requires third-party penetration tests to Appendix B: Guide for Internal Auditors to
be performed annually. Some organizations require annual Assess the Reliability of Other Assurance
penetration testing as a key IT general control to meet Providers
the requirements of the U.S. Sarbanes-Oxley Act of 2002. The following is a sample audit guide for internal audit
External penetration testing provides organizations the to assess the reliability of another internal assurance pro-
opportunity to have an independent third party determine vider. These procedures should help the auditor evaluate
the risks (or weak links) in their network and systems. the extent the assurance provider meets the principles for
reliance described in section two of this practice guide.
Vulnerability management is the processes and technolo- In evaluating the competency and objectivity of the assur-
ance provider, the assessment process is organized around Assurance Execution – The assurance provider has a
four major areas: demonstrated performance history of delivering to the
established objectives and producing competent and reli-
Governance and Objectives – A charter or objective able results. Documentation should be maintained as evi-
statement provides authority and scope of assurance ac- dence of performance to relevant professional standards.
tivities and establishes intent for internal audit to rely on
the work product of the assurance provider. Adequate Reporting and Follow-up – The results of assurance
staff is in place (numbers and competency) and objectiv- activities are reported to an appropriate level of manage-
ity is provided for. ment and issues are tracked until they are mitigated.
Risk Assessment and Planning – Assurance activities

are guided by appropriate policies and procedures and
should include audit plans that incorporate an assessment
of risk.
Purpose and Governance – A charter or objective statement provides authority and scope of assurance activities and establishes intent
for internal audit to rely on the work product of the assurance provider. Adequate staff is in place (numbers and competency) and
objectivity is provided for.
Characteristic Verification Procedures or Method of Demonstrating
Charter 1. Does the assurance provider have a written charter that includes the following elements: mission and scope of work,
accountability, roles and responsibilities, responsibility, and authority?
2. Is the charter published, easily accessible, and has been communicated to all applicable staff?
3. Is the charter periodically reviewed and updated in accordance with the changing risk environment and approved by an
appropriate leadership level?
Written policies and Does the assurance provider maintain documented policies and procedures that include the following:
procedures 1. Procedures to identify, document, and evaluate the relevant risks and their associated controls.
2. Risk-based procedures to evaluate the effectiveness of internal controls.
3. Procedures to document internal control monitoring and testing procedures including supervisory review.
4. Procedures to report on the effectiveness of internal control to appropriate management.
5. Procedures to monitor and report actions to remediate control weaknesses.
Personnel 1. Obtain staff bios and look for appropriate background, experience, and education to perform audit activities. Evidence
performing may include formal education, direct experience, professional certifications, and relevant training courses.
assurance activities 2. Review and evaluate the assurance provider’s functions/responsibilities beyond their review activities and ensure that
have appropriate these tasks do not impair their independence.
skill and objectivity 3. Evaluate the management supervision process of staff and determine if there is appropriate oversight to ensure the
quality of work.
Performance 1. Does the assurance provider measure its own performance? This could include use of a balanced scorecard, surveys of
measurements key stakeholders, etc.
2. Identify key stakeholders of the assurance provider assurance activity and interview to understand their view of the
value being provided, the areas of focus, quality, and timeliness of reporting, etc.
Risk Assessment and Planning – Assurance activities are guided by appropriate policies and procedures and should include audit plans
that incorporate an assessment of risk.
Defined assurance 1. How has the assurance universe been defined? Determine the appropriateness of the size and number of the entities
universe making up the audit universe (e.g., too detailed or general, too many or too few, logical division, etc).
Risk assessment 1. Review the risk assessment process. Understand the key risk components considered. Evaluate if these are reasonable
and comprehensive, considering both qualitative and quantitative factors. Is the risk assessment updated at least
annually?
2. Determine if the assurance provider follows a structured approach to create and document risk-based reviews. Does the
approach include input from an appropriate range and level of business leaders?
3. Interview the audit team and process owners of the associated business units/support functions and assess how risks
are updated for changes such as acquisition, reorganization, change in Job responsibilities, etc.
Assurance plan 1. Obtain the current period and long range audit plan(s). Determine the following:
- How is the assurance plan developed?
- Is it based on results of the risk assessment?
- Are plans reviewed and approved by an appropriate level of leadership?
- Does the plan provide for appropriate coverage of the assurance universe?
- Does the plan include appropriate time for follow-up activities to validate corrective actions of prior issues?
2. Inquire as to how the planning process factors in changes that occur, such as new regulations, organization changes,
etc.
3. Compare current staffing levels with the audit plan to determine if sufficient resources are available (i.e. are they on
track to finish their scheduled reviews).
Assurance Execution – The assurance provider has a demonstrated performance history of delivering to the established objectives and
producing competent and reliable results. Documentation should be maintained as evidence of performance to relevant professional
standards.
Engagement Select a sample of assurance engagements and review for the following:
planning 1. Does the engagement have a documented scope, objectives, timeframe, and deliverables?
2. Do the scope and objectives tie to the overall risk assessment and assurance plan?
3. How is the scope determined? Is it based on some preliminary assessment and understanding of risks relevant to the
activity being reviewed?
4. Does the scope appear adequate in light of the identified risks?
Documentation 1. Are work programs documented to achieve engagement objectives? These should establish the procedures for
identifying, analyzing, evaluating, and recording information during the engagement.
2. Is the work performed documented? Review the workpapers and assess whether they are sufficient, relevant, and
reliable in meeting IIA standards.
3. Assess if it is feasible for a third party to re-perform the work based on the audit work papers.
4. Are appropriate samples selected for the controls tested?
5. Are issues or findings adequately documented, with root cause clearly identified?
6. Is there evidence of an appropriate review and approval of assurance work?
7. Are workpapers appropriately secured and retained according to company record retention requirements?
IT considerations 1. Review for evidence of appropriate use of technology in assurance activities, i.e., use of analytical review techniques,
computer aided audit tools (CAATS), etc.
2. Are IT risks and controls adequately considered and addressed in the assurance/audit activities?
Reporting and Follow-up – The results of assurance activities are reported to an appropriate level of management and issues are tracked
until they are mitigated.
Reporting 1. Are the results of assurance activities formally reported? Select a sample of assurance reviews completed in the past
12 months and review for the following:
- Are they documented and presented in a standard format?
- Are they provided to an appropriate distribution of leadership?
- Are findings presented in a reasonable time following the review activities?
- Are issues and recommendations clearly presented and rated according to assurance provider procedures?
2. Do findings include elements of effective issues (5 C’s – criteria, condition, cause, consequence, corrective action)?
3. Do all issues have an appropriate owner identified?
Issues are identified 1. Is there a process to monitor issues and status of corrective actions? Is status regularly reported to appropriate
and tracked leadership?
2. Is there a process to validate corrective actions taken in response to audit issues?
Glossary internal audit activity in accordance with the internal au-

dit charter and the Definition of Internal Auditing, the
The American Institute of Certified Public Ac- Code of Ethics, and the International Standards for the
countants (AICPA) – the voice of the accounting pro- Professional Practice of Internal Auditing (Standards).
fession since 1887. The AICPA prides itself on its serv- The CAE or others reporting to the CAE will have appro-
ing the certified public accounting (CPA) profession and priate professional certifications and qualifications. The
the public interest to which it is profoundly committed. specific job title of the CAE may vary across organiza-
AICPA members work in all sectors of the business and tions.
financial services profession, including public account- https://www.globaliia.org/standards-guidance/mandatory-
ing, financial planning, tax, business and industry, law, guidance/Pages/Standards-Glossary.aspx
consulting, education, and government.
http://www.aicpa.org/About/Pages/About.aspx
The Canadian Institute of Chartered Accountants
(CICA) – represents Canada’s chartered accountants
Assessment – the act of assessing; appraisal; evaluation. (CA) profession both nationally and internationally. CAs
are Canada’s internationally recognized profession of
leaders in senior management, advisory, financial, tax,
Auditing Standard No. 5 (AS No. 5): An Audit of and assurance roles.
Internal Control Over Financial Reporting That Is
http://www.cica.ca/about-the-profession/cica/index.aspx
Integrated with An Audit of Financial Statements
– Issued by the PCAOB, the report is based on PCAOB
inspections that examined portions of approximately 250 Compliance Community Member – an individual or
audits of internal control over financial reporting (ICFR) group with responsibility for developing, administering,
by the eight largest domestic registered firms in 2007 and monitoring internal programs to ensure compliance
and 2008. AS No. 5 became effective for audits for fiscal with applicable federal and state laws and regulations. Al-
years ending on or after Nov. 15, 2007, and replaced the ternate titles: compliance manager, risk and compliance
PCAOB’s previous ICFR standard, AS No. 2. officer.
http://pcaobus.org/News/Releases/Pages/09242009_
AS5_Report.aspx
Continuous Auditing – Continuous auditing is a meth-
od used to perform control and risk assessments auto-
Board – A board is an organization’s governing body, such matically on a more frequent basis. Technology is key to
as the board of directors, supervisory board, head of an enabling a continuous auditing approach. Traditionally,
agency or legislative body, board of governors or trustees internal audit’s testing of controls has been performed
of a nonprofit organization, or any other designated body on a retrospective and cyclical basis, often many months
of the organization, including the audit committee to after business activities have occurred. The testing pro-
whom the chief audit executive may functionally report. cedures have often been based on a sampling approach
and included activities such as reviews of policies, proce-
dures, approvals, and reconciliations. Today, however, it
Chief Audit Executive (CAE) – describes a person in is recognized that this approach only affords internal au-
a senior position responsible for effectively managing the ditors a narrow scope of evaluation, and is often too late
to be of real value to business performance or regulatory AICPA Board of Examiners (BOE) – a senior com-
compliance. See GTAG 3: Continuous Auditing: Impli- mittee of the AICPA that sets policy for the Uniform CPA
cations for Assurance, Monitoring, and Risk Assessment. Examination in accordance with legal and psychometric
standards as they apply to licensure examinations. Mem-
bers of the BOE are CPA volunteers from every segment
Continuous Monitoring – encompasses the processes of the profession — public accounting, business and in-
that management puts in place to be sure that the policies, dustry, and the academic community — the majority of
procedures, and business processes are operating effec- whom currently also have regulatory (state board) experi-
tively. It addresses management’s responsibility to assess ence.
the adequacy and effectiveness of controls. This involves
identifying the control objectives and assurance assertions http://www.aicpa.org/BECOMEACPA/CPAEXAM/EX-
and establishing automated tests to highlight activities AMOVERVIEW/GOVERNANCE/Pages/default.aspx
and transactions that fail to comply. See GTAG 3.
Internal Security Assessor (ISA) – A certification
Co-sourcing – Many CAEs must confront the possibil- program offered by the Payment Card Industry Securi-
ity of outsourcing some of their work to ensure everything ty Standard Council (PCI SSC), an international orga-
with which they are tasked is completed in a timely and nization that manages the Payment Card Industry Data
competent manner. Co sourcing presents a CAE with Security Standard (PCI-DSS). ISA is designed to help
a broad range of outside capabilities to supplement in- companies comply with their continually evolving rules
house talent. and regulations. The ISA program offers training to mer-
chants, banks, and processors. This certification program
trains select individuals on the basics of implementing
Chartered Accountant (CA) – Professional member of an ongoing security discipline, and works to remove the
a country’s Institute Of Chartered Accountants. He or she “check the box” mentality that can sometimes arise with
must work (and be trained) in the office of a practicing compliance programs. ISA program benefits include: an
chartered accountant for three years, and pass exhaustive opportunity for internal auditors to learn the same tech-
written tests to qualify. On completing the requirements, niques taught to QSAs; the chance for merchants to verify
the trainee is awarded the Associate of the Institute of their internal staff have a common understanding of the
Chartered Accountants (ACA). PCI-DSS requirements; the ability for merchants to hear
the intent of the requirements directly from the Council;
http://www.businessdictionary.com/definition/chartered-
and a potential reduction in compliance costs by teaching
accountant-CA.html
ISAs to develop security strategies before and beyond the
annual PCI-DSS validation.
Certified Public Accountant (CPA) – a statutory title http://www.scmagazineus.com/how-you-are-changing-
of qualified accountants in the United States for one who the-pci-standards-in-2010/article/170374/
has passed the CPA examination administered by the li-
censing body of the AICPA.
International Organization of Supreme Audit In-
stitutions (INTOSAI) - a worldwide affiliation of gov-
ernmental entities. Its members are the Chief Financial
Controller/Comptroller General Offices of nations.
International Standard on Assurance Engagements Macro Assurance – Pervasive themes can be highlight-
(ISAE) 3402 –deals with assurance engagements un- ed by comparing and trending common issues raised by
dertaken by a professional accountant in public practice the compliance community. Planning principle-based
to provide a report for user entities and their auditors on assessments performed by other assurance providers in
the controls at a service organization. The service is likely sequence with internal audit engagements to provide an
to be relevant to user entities’ internal control as it relates overarching macro-opinion across multiple entities or
to financial reporting. processes.
http://web.ifac.org/download/b014-2010-iaasb-hand-
book-isae-3402.pdf Other Assurance Provider (internal/external fac-
ing) – Internal Other Assurance Providers are evaluators
Information technology–Security techniques– who report to management and/or are part of manage-
Code of practice for information security management (management assurance), including individuals
ment (ISO/IEC 27002:2005) –– an information secu- who perform control self-assessments, quality auditors,
rity standard published by the International Organization environmental auditors, and other management-designat-
for Standardization (ISO) and the International Elec- ed assurance personnel. External Other Assurance Pro-
tro-technical Commission (IEC) originally as ISO/IEC viders are evaluators who report to external stakeholders
17799:2000. ISO/IEC 27002 provides best practice rec- (external audit assurance), a role traditionally fulfilled by
ommendations on information security management for the independent/statutory auditor.
use by those responsible for initiating, implementing, or
maintaining Information Security Management Systems U.S. Public Company Accounting Oversight Board
(ISMS). The current standard is a revision of the version (PCAOB) – The PCAOB is a nonprofit corporation es-
first published by ISO/IEC in 2000, which was a word- tablished by the U.S. Congress in 2002 to oversee the
for-word copy of the British Standard (BS) 7799-1:1999. audits of public companies to protect the interests of in-
vestors and further the public interest in the preparation
Key Performance Indicators (KPIs) – KPIs are im- of informative, accurate, and independent audit reports.
portant measures of a business’s performance and prog- The PCAOB also oversees the audits of broker-dealer
ress toward goals (dictionary.com). They are metrics re- compliance reports under federal securities laws.
lated to critical success factors. http://pcaobus.org/Pages/default.aspx
Key Risk Indicator (KRI) – a measure used in manage- Payment Card Industry Data Security Standard
ment to indicate how risky an activity is. According to The (PCI-DSS) – created by the leading credit card compa-
Committee of Sponsoring Organizations of the Treadway nies to ensure customer data is safeguarded.
Commission’s (COSO’s) Guidance on Monitoring Inter-
nal Control Systems, key risk indicators are forward-look-
ing metrics that seek to identify potential problems, thus Payment Card Industry Security Standards Council
enabling an organization to take timely action, if neces- (PCI SSC) – offers robust and comprehensive standards
sary. Reprinted with permission from COSO, copyright and supporting materials to enhance payment card data
2004-2011. COSO. All rights reserved. security. These materials include a framework of speci-
fications, tools, measurements and support resources to
help organizations ensure the safe handling of cardholder Statement of Auditing Standards No. 70 (SAS
information at every step. The keystone is the PCI-DSS, 70) – SAS 70 is an internationally recognized auditing
which provides an actionable framework for developing a standard developed by the American Institute of Certi-
robust payment card data security process — including fied Public Accountants (AICPA). SAS 70 demonstrates
prevention, detection, and appropriate reaction to secu- that data centers have adequate controls and safeguards
rity incidents. in place to host or process data related to their customer
https://www.pcisecuritystandards.org/security_standards/ base. SAS 70 is not a certificate, but an opinion on the
index.php nature of those controls.
http://www.c7dc.com/articles/sas-70-faq.htm.
Penetration Testing – A penetration test is a method of

evaluating the security of a computer system or network Self-reported Issues – This practice empowers man-
by simulating an attack from a malicious source. The agement to raise issues and track remediation to advance
process involves an active analysis of the system for any corrective action. Auditors gain comfort when manage-
potential vulnerability that could result from poor or im- ment promptly address root causes related to the self-
proper system configuration, from known and unknown reported issues.
hardware or software flaws, or operational weaknesses
in process or technical countermeasures. The intent of
a penetration test is to determine the feasibility of an at- Service Provider – any company that provides the fol-
tack and the amount of business impact of a successful lowing services to another organization: executes and
exploit, if discovered. maintains accountability of transactions, records transac-
tions and processes information, and impacts the client’s
financial reporting. Typical service companies include
Qualified Security Assessor (QSA) – The Payment application service providers, claims processors, clear-
Card Industry (PCI) QSA designation is conferred by inghouses, credit processing companies, and data center
the PCI Security Standards Council to those individu- hosting facilities.
als that meet specific information security education re- http://www.c7dc.com/articles/sas-70-faq.htm
quirements, have taken the appropriate training from the
PCI Security Standards Council, are employees of an Ap-
proved PCI Security and Auditing Firm, and will be per- Statement on Standards for Attestation Engage-
forming PCI compliance assessments as they relate to the ments (SSAE) No. 16 – In April 2010 the AICPA Au-
protection of credit card data. The term QSA also may be diting Standards Board (ASB) issued SSAE 16, Reporting
implied to identify an individual qualified to perform PCI on Controls at a Service Organization. The SSAEs also
compliance auditing and consulting. The primary goal of are known as attestation standards. SSAE 16 is applicable
an individual with the PCI QSA certification is to per- when an entity outsources a business task or function to
form an assessment of a firm that handles credit card data another entity (usually one that specializes in that task or
against the high-level control objectives of the PCI Data function) and the data resulting from that task or function
Security Standard (PCI-DSS). is incorporated in the outsourcer’s financial statements.
In SSAE 16 an entity that performs a specialized task or
function for other entities is known as a service organiza-
Reliance – confident or trustful dependence (dictionary. tion and an entity that outsources the task or function to
com).
a service organization is known as a user entity.

http://www.aicpa.org/InterestAreas/Accountin-
gAndAuditing/Resources/SOC/DownloadableDocu-
ments/QAs_Serv_Orgs_Apr_26_2010.pdf
User Entity (Client Organization) – an entity that

outsources a business task or function to another entity
(usually one that specializes in that task or function) and
the data resulting from that task or function is incorpo-
rated in the outsourcer’s financial statements. In SSAE
16 an entity that performs a specialized task or function
for other entities is known as a service organization and
an entity that outsources the task or function to a service
organization is known as a user entity.
http://www.aicpa.org/InterestAreas/Accountin-
gAndAuditing/Resources/SOC/DownloadableDocu-
ments/QAs_Serv_Orgs_Apr_26_2010.pdf
Vulnerability Management – the cyclical practice of

identifying, classifying, remediating, and mitigating vul-
nerabilities. This practice generally refers to software vul-
nerabilities in computing systems.
Authors:
Bradley C. Ames, CPA, CISA
Ken Askelson, CPA, CITP, CIA
Hussain T. Hasan, CISSP, CISM, CGEIT, PCI-QSA
David Strealy, CIA
David Williams, CISA

Gary E. Eymer, CIA
Carrie Gilstrap, CISA
Mark Harrison
Steve Hunt, CIA
Donald E. Sparks, CIA, CISA
Steven Stein, CIA, PMP, CISA, CISSP, CFE, CGEIT
guidance, compliance is not mandatory, but it is
strongly recommended, and the guidance is en-
dorsed by The IIA through formal review and ap-
proval processes. For other authoritative guidance
materials provided by The IIA, please visit our
website at www.globaliia.org/standards-guidance.

247 Maitland Ave. F: +1-407-937-1101
– Practice Guide
Selecting, Using, and

Creating Maturity Models:
A Tool for Assurance and
Consulting Engagements
July 2013
Table of Contents
Executive Summary.................................................................................. 1
Introduction................................................................................................ 2
Example of Maturity Model Use by Internal Auditors...................... 3
Selecting Maturity Models..................................................................... 4
Building and Using Maturity Models.................................................... 5
A Commonly Accepted Internal Control Environment

Maturity Model........................................................................................ 11
Key Points for Review............................................................................ 13
Maturity Model Examples..................................................................... 14
Additional Resources............................................................................. 26
About the Authors and Reviewers....................................................... 27
www.globaliia.org/standards-guidance
Executive Summary Auditors may want to use maturity models as criteria to as-
sess business processes as part of assurance engagements,
Maturity models establish a systematic basis of measure- thus providing an easy-to-communicate understanding of
ment for describing the “as is” state of a process. A pro- the governance, risk, or control environment under review.
cess’s maturity can then be compared to management’s In the absence of defined criteria for a process, the audi-
expectations or contrasted with the maturity of other sim- tor can work with management to define adequate criteria
ilar processes for benchmarking purposes. Insights also using a maturity model.
can be derived from the model for determining improve-
ment options that help a process to satisfy its intended This practice guide provides guidance on the uses of ma-
objectives over time. turity models, identifies considerations for their selection,
and provides instructions on how to build them. Care
A maturity model describes process components that are must be taken to appropriately apply maturity models in
believed to lead to better outputs and better outcomes. A assurance or consulting engagements, including validat-
low level of maturity implies a lower probability of success ing their applicability to the process under review. Com-
in consistently meeting an objective while a higher level of ponents of existing maturity models are provided for use
maturity implies a higher probability of success. The or- “as is” or as the foundation for a model tailored specifically
ganization’s risk tolerance should be considered when de- to an organization’s process.
termining the level of maturity that management expects
to have in place.
Introduction consistent, or it may not be strategically important enough

to invest in certain processes to consistently achieve level 5.
Organizations may use a maturity model to describe their
developmental state or their processes in relation to estab- Maturity models when appropriately designed provide:
lished expectations of control and management. The clas- • A framework for envisioning the future, the desired
sification mechanisms within a maturity model can help state, and the development of improvement plans.
organizations simplify the determination of when control
• Benchmarks for the organization to compare its pro-
and process management is acceptable, or alternatively to
cesses internally or externally.
identify the actions necessary to improve the maturity of
the organization or process. • A mechanism to provide insight into the improve-
ment path from an immature to a mature process.
Outcome metrics (e.g., financial return, program compli- • A disciplined method that comparatively is easy to
ance, sales, and customer satisfaction) provide in many understand and implement.
cases the ultimate criteria for measuring the success of a
As suggested by the word ”maturity,” an organization’s gov-
process. However, management and auditors may want to
ernance, risk, and control processes evolve over time and
understand how well the processes leading to those out-
may move up or down the maturity scale (the 0 to 5 scale
comes are designed and functioning. Unfortunately, an
noted previously). Standard 2210.A3 of the International
assessment of the adequacy of efforts to achieve a given
Standards for the Professional Practice of Internal Auditing
set of outcomes can be difficult to develop given the many
(Standards) is important for auditors to understand and
variables that drive business performance. An appropri-
apply when using maturity models. It states:
ately constructed maturity model can make such an as-
sessment more consistent and repeatable.
“Adequate criteria are needed to evaluate governance,
risk management, and controls. Internal auditors must
The concept for maturity models grew out of total qual-
ascertain the extent to which management and/or the
ity management programs, which emphasized continuous
board has established adequate criteria to determine
improvement. One of the most well known models is the
whether objectives and goals have been accomplished.
Capability Maturity Model (CMM) developed by Carnegie
If adequate, internal auditors must use such criteria in
Mellon University to help improve software development.
their evaluation. If inadequate, internal auditors must
work with management and/or the board to develop ap-
While many variations of maturity models exist, all models
propriate evaluation criteria.”
generally have levels from 0 to 5 that describe an organiza-
tion, management process, control set, or other element
When using or developing maturity models, the auditor
of an organization’s operations (i.e., they describe inputs
should determine whether “management and/or the board
or processes believed to lead to better execution and im-
has established adequate criteria” in the selection and ap-
proved consistency of outcomes). Level 0 is usually some
plication of the model. This practice guide expands on
variation of nonexistent or ad hoc execution while level 5
this concept in subsequent sections. Generally, however,
is usually considered a high maturity, sustainable, and/or
consider the following two points:
optimized process. Level 5 may not be an organization’s
goal, as the cost to achieve level 5 may at times exceed the
benefits. In other words, management’s risk tolerance may
be high enough to allow for the process to be less exact or
• An auditor planning to use a maturity model in an as- sary to achieve a desired business outcome. How-
surance engagement should first consider whether the ever, an auditor — after understanding the model
model is fit for purpose.1 Assuming the model is used and its design — may not agree with a management
correctly, is its predictive ability relevant to the busi- position that a level 1 process is acceptable for the
ness objective being measured? For instance, a matu- objective of meeting customer needs.
rity model that assesses compliance elements would
not be appropriate to provide a perspective on how
well an operational business objective is managed.
Example of Maturity Model
• An auditor planning to use a maturity model in an Use by Internal Auditors
assurance engagement should independently deter-
Assume that an organization has just established a com-
mine what “maturity level” of the model is adequate
munity investment group to make donations to charities
to meet an objective. For instance, level 5 of a cus-
and other worthwhile causes. The organization expects it
tomer satisfaction maturity model may not be neces-
Potential Implications by Reporting Methodology

Situation
Pass/Fail
Maturity Model Level
Satisfactory/Unsatisfactory
Reporting
Reporting
Organization Needs a Clear Opinion Provides a clear understanding of the auditor’s Unless stated explicitly, readers may not have
opinion. clarity on what is “good enough.” When is
achievement at a certain level acceptable
versus not acceptable?
Management Buy-in Is Important to Yes/no verdicts may be difficult to deliver. They may Focuses discussion on the level of consistent
Cultivate also be counterproductive in terms of the time to execution on a continuum — allowing for
share, negotiate, and confirm the pass/fail opinion discussion of continuous improvement options.
versus the time discussing the actual improvement
options.
Audit of a Complex or Undefined Harder to apply a clear pass/fail approach. Allows for plotting of distribution along a
Process continuum of process expectations.
Compliance Objective Provides a clear opinion on whether compliance is Given the expectation of meeting compliance
met. requirements, anything less than the highest
level of maturity could be misconstrued as a
concern.
Operational Objective More difficult for management and the auditor Allows management an easier role for
to identify the exact process deficiencies that communicating a level of expectation of
constitute a fail versus pass. maturity.
Aspirational/Continuous Improvement May be impossible to create useful pass/fail Allows for a maturity level that all processes can
Objective criteria, as all processes over time may succeed reach yet also includes higher potential levels of
or fail depending on the ease or difficulty of set maturity that drive aspirational performance.
expectations.
1 Pöppelbuß, Jens and Röglinger, Maximilian, “What Makes a Useful Maturity Model? A Framework of General Design Principles for Maturity Models and Its Demonstration in Business Process
Management” (2011).
will take two years to develop all the policies and proce-
dures necessary to perform as intended. The long-range
Selecting Maturity Models
vision is for the community investment program to be rec- Management may have defined a maturity model for its
ognized as one of the top 100 in the country. After per- use within the organization. If so, the internal auditor
forming an audit planning risk assessment, the chief audit could adopt that model as a tool after carefully evaluating
executive (CAE) has included this subject in the annual the relevance and adequacy of the model to the assess-
plan six months after the group has been formed. ment or opinion being provided. Alternatively, there are
numerous maturity models available for use from industry
Potential internal audit objectives could be to evaluate: groups and associations. These models also must be as-
• Whether the community investment controls are sessed as fit for purpose before use.
compliant with relevant laws and regulations.
Maturity models involve a certain level of subjectivity;
• Whether an adequate strategic plan is in place to therefore, caution is warranted when providing assurance
identify and evaluate the impact of charities that are to management that a process is adequately controlled
provided donations. based on an assessment driven by a maturity model. The
Through the use of a maturity model, the audit function auditor should ensure the model is fit for purpose and
could validate that current charity evaluation efforts are properly implemented. Models may be used to describe
adequate (hypothetically, adequate is level 3 maturity, the “as is” state of the process, provide prescriptive guide-
where an understanding and survey of charity outcomes lines on improvement, or compare one process imple-
is in place) but recommend that a sustained level 4 be in mentation to another.1
place (hypothetically, level 4 calls for proactive monitoring
The use of a maturity model versus other audit tech-
of charity reporting and periodic management validation
niques and methodologies should not alter the level of
of charity results).
proficiency and due professional care auditors employ.
This continuum of maturity would be in contrast to a pass/ A maturity model should not be deployed as a checklist,
fail or satisfactory/unsatisfactory rating process. The ma- supplanting the auditor’s responsibility for independently
turity model lends itself to providing the criteria, the plot- and objectively identifying unmitigated risk and the po-
ting of the current condition, and the recommendation to tential inadequacy of control. The model should provide
move to the next level if such a recommendation is war- a framework and guide for discussion of governance, risk,
ranted. In the example, the model provides a great method and control maturity.
for assessing a process that is under development (in this
In selecting a maturity model, auditors should understand
case, the community investment group).
the management objective and the appropriateness of the
The use of maturity models will not be the best evalua- model in supporting that management objective. Consid-
tion method for auditors to deploy in all cases. When de- er the following:
termining whether to use a maturity model, evaluate the
• What is the desired management outcome? For
situations described below and consider the potential im-
example, does management want to assess systems
plications of different evaluation and reporting methods.
development lifecycle success, sales process excel-
lence, or environmental safety? What quantitative
metrics or qualitative statements describe the desired
management outcome?
• Is the model under consideration appropriate for

driving the management outcome? The model should Building and Using Maturity
have been built by credible subject matter experts Models
either inside or outside the organization who un-
derstand the correlation between certain process Auditors with the appropriate proficiency, or in conjunc-
functions and the organization’s desired outcome. tion with management or outside experts, can construct
The level of diligence in confirming the predictability models that are fit for purpose. Auditors who have limited
of the model will vary — from an internally devel- experience with maturity models or who want to explore
oped model created by experienced business leaders more detailed research into their design, should consider
inside the organization to an externally developed reviewing the research paper, What Makes a Useful Ma-
and researched model that considers experiences turity Model?2
across many organizations. Either approach could be
appropriate for a given situation. Building a model involves three steps:
The two key factors to control for in the selection of a 1. Determine the purpose of the model and its
model are: components.
2. Determine the scale.
• Would following a model improve the probability
3. Develop the expectations for each component level.
that the outcome would be achieved? Alterna-
tively, would the model encourage actions that are Using a maturity model involves these additional steps:
counterproductive or focus management’s atten- 1. Set targets for each component.
tion on process improvements that do not corre-
2. Assess the level of maturity by component.
late to driving the desired outcome?
3. Consider what the model may have missed.
• Would management have a false sense of confi- 4. Report conclusions.
dence that the outcome would be achieved if an
5. Revisit the model regularly.
assessment — using the model — shows a high
state of process maturity? Although following For the purposes of this section, start by skimming
the model and increasing a process’s maturity is Example 3, Public Sector Internal Audit Capability
expected to improve the chances of a successful Maturity Model (see page 24) and then return here to
outcome, there still may be substantial risk and continue with the discussion on building a model.
uncertainty that the outcome will be achieved.
Will use of the model provide the appropriate Building a Maturity Model
level of confidence?
Step 1 – Determine the purpose of the model and
Disclose the source of the model. Auditors should disclose its components.
in their report the source of the model, how the model
was constructed, who participated in the construction of The objective to be addressed should first be defined
the model, and why the auditor — and management, as in the same way as if the auditor were going to select a
appropriate — believes the selected model is valid for the model that was already built. Auditors should consider
process and objective under review. these questions:
2 Pöppelbuß, Jens and Röglinger, Maximilian, “What Makes a Useful Maturity Model?
A Framework of General Design Principles for Maturity Models and Its Demonstration in
Business Process Management” (2011).
• What does management want to assess (e.g., systems paring processes with high and low maturity to the
development lifecycle success, sales process excel- outcomes across those processes? Alternatively, do
lence, or environmental safety)? subject matter experts and experienced profession-
• What business processes are involved? als — who could include management and auditors
— believe the component contributes to increas-
• Will the model be applied across many different ing the probability of achieving the outcome? What
types of management processes to improve general research, evidence, or subject matter expertise can
compliance, controls, or organizational governance? internal audit rely on in making this determination?
• Is internal audit assessing an industry or company In the reference model — Example 3 — one component
specific set of tasks that require some degree of is Professional Practices. One can assume the authors of
specialized process knowledge, tools, techniques, that model felt that a higher state of maturity in following
or skills? professional practices contributes to the desired outcome
• How can internal audit state the expected outcome of public sector internal audit functions. This component
from the process in terms of metrics or a qualitative apparently was part of the critical few areas that, if left out
statement? or not consistently managed, would be detrimental to the
With the objective in mind, the components that drive management objective. Finally, one can assume that re-
that objective are then identified. This is the most impor- search shows a distinction between the level of outcomes
tant part of the model’s development in that the auditor achieved by public sector internal audit functions with-
is identifying the critical elements that — based on the out high maturity in professional practices and those with
model builders’ judgment — will improve the probability high maturity. That research might be quantitatively driv-
of achievement of the objective and outcome. en through statistical correlation or qualitatively driven
through interviews with subject matter experts and CAEs
Auditors will want to document their plan for developing in the field.
the model — outlining the research and data gathering
techniques (such as facilitation of subject matter experts) The components will vary based on the management
that help determine which components should be part of objective. When compliance is the objective, specific
the model. Auditors should consider the following when compliance controls, governance expectations, relevant
selecting components: regulatory skill sets, and other elements may be important
components of the model. If assessment of the general
• Will the component — if managed consistently — control environment is the objective, then basic segrega-
improve the probability of achieving the outcome? tion of duties, control mapping, and risk assessment con-
cepts may be important components. In an assessment of
• If a component is not included, will that negatively
an organization’s field sales offices, certain practices on
decrease the probability of achieving the outcome?
sales prospect tracking or market analysis may be consid-
Use caution here to focus on including the critical few
ered key components.
components that deserve attention, improvement, and
consistent execution versus everything that manage-
Components are those categories of process attributes rel-
ment could be doing to oversee the process.
evant and necessary to meet — or to at least improve the
• Can the model builder evaluate the correlation be- likelihood of meeting — the objective being assessed. Turn-
tween the component and the desired outcome? ing back to Example 3, the research study on public sector
Is that correlation based on a study or research com- internal audit capability found these components relevant:
3, the Public Sector Internal Audit Capability Maturity

Services & Role of IA
Model, five levels are used:
People Management
Professional Practices Level 5 – Optimizing
Performance Management & Accountability Level 4 – Managed

Organizational Relationships & Culture Level 3 – Integrated
Governance Structures Level 2 – Infrastructure
Level 1 – Initial
Practitioners participating in The IIA’s research that cre-
ated model Example 3 determined that an assessment of Caution: When developing the model, the auditor should
the capability of a public sector audit function needed to carefully consider the words used to title each level. “Best
consider these six components. These components are the Practice,” for instance, is a catch phrase that can be misap-
drivers of success or failure, capability building or capability plied and cause confusion. Every level may not need to be
destruction, for the internal audit function under review. “Best Practice,” as that is beyond the risk tolerance needs of
Caution: Determining the components could range from an the organization. The titles should help convey the achieve-
exercise as simple as a single meeting to gather perspectives ment expected at each level.
from experienced subject matter experts in the organization
to an extensive fully funded empirical research study that Step 3 – Develop the expectations for each com-
determines through statistical analysis across many processes ponent level.
and organizations what components truly impact the desired
outcome under review. Auditors should be clear to assess the The next step is to define the expectations regarding what
level of predictability they want their model to have. In most should be in place for a process to have met a given level for
cases, a formal gathering of subject matter experts in the each component being assessed. Example 1, Process Capa-
organization may be adequate for the component selection bility Maturity Model has six components that the model
necessary to provide insights and improvements to the orga- developers felt are key to general process governance:
nization and some reasonable level of assurance regarding • Strategic Planning/Financial Management
furthering the process objective.
• Customer/Stakeholder Expectations
Step 2 – Determine the scale. • Risk
• Metrics
Once the components are identified, the auditor should • Human Capital
determine what scale will be used. The examples that are
• Process Management and Self-assessment
shown in this practice guide use a level 0 or level 1 as
the base level going up to level 5 as the highest level of Using Customer/Stakeholder Expectations, one can re-
maturity. Generally the lowest level is an absence of con- view the expectations set for each level. In this grid, each
trols and process discipline while level 5 is reserved only level builds on the level before — meaning that to achieve
for those very few processes that exhibit an optimized or level 4 it is expected that requirements in levels 1-3 have
best practice execution. In the reference model, Example also been demonstrated.
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5

Reactive Repeatable Defined & Managed Sustained Optimized
Stakeholder Process decision- Key stakeholders are Stakeholder Stakeholder

expectations are making is based identified. feedback is feedback validates
identified or tracked on stakeholder collected via that the process
informally. expectations and Expectations for surveys, focus meets or exceeds
feedback. “critical to quality groups, and stakeholder
satisfaction” are innovative voice expectations.
Customer/ documented. of the customer
Stakeholder methodologies. Proactive initiatives
Expectations Process success are in place
in meeting Rework/mistakes to minimize or
expectations impacting eliminate rework/
and feedback is stakeholder mistakes.
monitored. expectations have
improvement
projects underway.
In this example, the model builders created a progres- Considerations during this step include:
sively higher set of expectations culminating in level 5 • How well does each level build on the previous level?
Optimized — a process whose stakeholders confirm the
process meets their expectations and management has • How well do the expectations in each level align to
proactive efforts to reduce mistakes. In this case, the the expectation to have a process meet a certain level
model builders built the model with the intention that all of maturity — say level 3 versus level 5?
processes should achieve level 3 while only critical pro- • For the expectations in each box, will a process or
cesses are expected to expend the effort to reach level 5. organization that achieves that requirement have a
reasonable chance of achieving the outcome envi-
To build out this component, the team that created the sioned for that level — say being “Defined and Man-
model would have considered the range of options for aged” for level 3 or “Sustained” for level 4?
managing customer and stakeholder expectations and • Are the expectations for a given level consistent
then created the expectations within each level. Just as across components? For instance, are the require-
with the determination of which components to use, the ments for level 3 for this component — Customer/
actual requirements within a component may be deter- Stakeholder Expectations — appropriately equivalent
mined through in-depth research or through facilitated to the level 3 requirements for Human Capital?
conversation with subject matter experts. A maturity
model focused on general processes, such as the one used Caution: The same level of diligence that was applied in
in this example, will generally be applicable to any pro- determining what key components should exist in the model
cess. A maturity model focused on a specific industry or should be applied when setting the expectations within each
function may require specific diligence and demonstrated level of the model. Determine the key requirements versus
achievements regarding specialized people, process, and everything that could be done.
technology.
The auditor’s model should now resemble the model below with specific components and expectations by level inserted.
The auditor may have selected more components or a different number of levels for the model.
Expectations – Expectations – Expectations – Expectations – Expectations –

Component 1
Component 1 / Level 1 Component 1 / Level 2 Component 1 / Level 3 Component 1 / Level 4 Component 1 / Level 5

Component 2

Component 3
Using a Maturity Model across the components being assessed. However, any
component assessed at level 1 or 2 is considered a
Step 4 – Set a target for each component.
red flag, requiring an immediate intervention plan by
regional leadership.
Once the scale and components are defined, the next step
is to determine the organization’s target maturity level for • The organization has adopted a general process gov-
each component. Generally speaking, cost/benefit anal- ernance maturity model. All processes are expected
ysis shows that not all components of a process should to evaluate their adherence to the model; however,
operate at the highest level of maturity. In conjunction only level 3 achievement is expected for all processes.
with the assessment of an organization’s risk appetite, the Each management function determines which specif-
target maturity for some components may be for instance ic processes are critical to the organization, and thus
to a Level 3 or Level 4. The organization may not want to require a 4 or 5 level of maturity. Non-critical pro-
expend the resources to move those components to a high cesses may be specifically excluded from the require-
level of maturity and accepts the risk that the process’s ment to “deploy the resources to reach the highest
objectives have a higher probability of failure as a result. state of maturity” as that would not be an optimized
Auditors should refer to The IIA’s Standards regarding risk allocation of resources across the organization.
and communicating risk acceptance for further guidance.
Caution: Auditors should not assume that managers should
Consider the following contrasting examples: seek to obtain the highest level of maturity for all maturity
model components across all processes being assessed. These
• Management has built a sales office maturity model may be too costly or risk adverse for the organization. The
for assessing the process maturity of its 100 sales goal of a model is to present the range of possibilities, assess
offices. Management expects all sales offices to the current maturity of the process, and then set goals for
achieve level 5 (optimized) over time, but allows improvements where such improvements make sense and are
each office to prioritize what will be addressed first in alignment with organizational objectives.
Step 5 – Assess the level of maturity by Step 7 – Report on conclusions.

component. As noted previously, the basis for selection of the model as
well as details on how the model was designed should be
Finally, the auditors assess the process itself through ob- clearly disclosed in any reporting for which a model is the
servation, inquiry, re-performance, and other appropriate basis of the assessment. The purpose of the model — that
tests to validate the current maturity of the process. Most on which the model is providing a perspective — should
models are built with the presumption that to achieve a be clear. If management has determined the level of ma-
given level, all the requirements of that level and all lower turity that is considered adequate, the auditor should in-
levels have been achieved. The task is no different than dependently determine whether “management has estab-
any other audit, with the maturity model serving as the lished adequate criteria” in the selection and application
criteria in the assessment. of the model. (See Standard 2210.A3)
One method of assessment an audit function could use Auditors — and management — must be cautious how-
would be to have management of the process or function ever not to overstate the probability that a given level of
under review conduct a self-assessment, including a col- process maturity will achieve a specified outcome over
lection of any evidence of performance. The audit func- time. Any language that purports to guarantee or ensure
tion would then validate that assessment. achievement of a specific outcome given that the process
has met a given state of maturity should be avoided.
Step 6 – Consider what the model may have
missed. Auditors should determine how the actual output met-
rics of the process under review should be provided in
All maturity models are built on the research, understand- the report and validated as appropriate. For instance, a
ing, and perspectives gained from the evaluation of previ- manufacturing process may be assessed at a high level of
ous business process implementations — not an evalua- maturity but customers continue to reject manufactured
tion of the current execution of the process under review. parts. These facts may not invalidate the appropriateness
Moreover, no model can consider all the circumstances of the maturity model; however, reporting on simply the
that may mitigate the risk that an outcome will not be model assessment — a high level of maturity — may be
achieved. Care should be taken not to apply the model as misleading to a reader without the context of the actual
a simple checklist. outcome metrics.
As noted in the previous step, auditors have an obliga-

Auditors should always conduct their work in a way that tion to think outside the model — regardless of how well
will allow for the identification of significant risks to the constructed it may be — to consider whether the spe-
organization’s objectives. Accordingly, use of a maturity cific circumstances under review may lead to other gaps
model does not preclude an auditor from the responsibil- in governance, risk, or control implementation. If that is
ity to consider for the specific process under review what the case, the auditor should discuss such gaps in the re-
the model may be missing in terms of risk mitigation and port. Alternatively, if the engagement scope was to simply
control guidance. Auditors must apply due professional apply the model without any additional consideration of
care in determining the level of analysis beyond just the unmitigated risks, that focused scope should be clearly
application of the model necessary to fulfill their engage- disclosed. Here is an example of such a disclosure.
ment scope. That scope should be documented as noted
in the next step.

Component 1
Component 2
Component 3
Purple Arrow = Target Level Orange Arrow = Current Level
“Our evaluation was limited to the application of the ma- ment of the model itself. Was the miss an indication that
turity model to x process. This maturity model was based changes in expectations in a given component at a given
on research conducted by x and enhanced using subject level should be considered to increase the probability of
matter experts identified by management. achieving the objective going forward?
We did not conduct additional analysis designed to iden-

tify additional unmitigated risks that could impact the
probability of the process achieving management’s objec- A Commonly Accepted Internal
tives. If we had conducted such additional analysis, other
gaps may have come to our attention.”
Control Environment Maturity
This model (above) shows two colors as an example of
Model
one reporting scheme. One color represents the expect- Included on page 12 is the internal control environment
ed level of achievement while the other represents the maturity model from COBIT 4.1 (Control Objectives
current level. Where gaps exist, the auditor will want to for Information Technology) released by ISACA3. While
work with management to develop recommendations for ISACA has released subsequent versions of COBIT —
improvement. including COBIT 5 — this model still provides a useful
reference for considering the maturity of a control envi-
Step 8 – Revisit the model regularly. ronment.
After applying the model, internal audit will want to revisit ISACA’s development of the model in COBIT 4.1 involved
how each of the model elements (levels, components, and research of a variety of maturity models. Accordingly, in-
expectations) when implemented appears to be achiev- ternal auditors may use the model as a basis for their as-
ing the desired process outcomes. Is the expectation to sessment of the maturity of internal control structures or
achieve a certain level too high? Alternatively, does the development of their own maturity models. The model
assessment seem too easy and not driving improvements uses just one component (Internal Control Environment)
that raise the bar on expected process resiliency? Over and 6 levels ranging from nonexistent to optimized.
time, the auditor will want to understand any process
outcome misses and tie that learning into the improve-
3 COBIT 4.1, 2007 © IT Governance Institute, Appendix 111, p. 186.

All rights reserved. Used with permission.
CobIt 4.1
MATURITY LEVEL STATUS OF THE INTERNAL CONTROL ENVIRONMENT
0 – Nonexistent There is no recognition of the need for internal control. Control is not part of the organization’s culture
or mission. There is a high risk of control deficiencies and incidents.
1 – Initial/ad hoc There is some recognition of the need for internal control. The approach to risk and control
requirements is ad hoc and disorganized, without communication or monitoring. Deficiencies are not
identified. Employees are not aware of their responsibilities.
2 – Repeatable but intuitive Controls are in place but are not documented. Their operation is dependent on knowledge and
motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist
and are not adequately addressed; the impact can be severe. Management actions to resolve control
issues are not prioritized or consistent. Employees may not be aware of their responsibilities.
3 – Defined process Controls are in place and are adequately documented. Operating effectiveness is evaluated
periodically and there are an average number of issues. However, the evaluation process is not
documented. Although management is able to deal predictably with most control issues, some control
weaknesses persist and impacts could still be severe. Employees are aware of their responsibilities
for control.
4 – Managed and measurable There is an effective internal control and risk management environment. A formal, documented
evaluation of controls occurs frequently. Many controls are automated and regularly reviewed.
Management is likely to detect most control issues, but not all issues are routinely identified. There is
consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is
applied to automate controls.
5 – Optimized An enterprisewide risk and control program provides continuous and effective control and risk issues
resolution. Internal control and risk management are integrated with enterprise practices, supported
with automated real-time monitoring with full accountability for control monitoring, risk management,
and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap
and root cause analyses. Employees are proactively involved in control improvements.
Key Points For Review

Given the care that must be taken when applying maturity models, auditors should review these key points over the course
of an engagement.
Key Points for Review
An auditor planning to use a maturity model in an assurance engagement should first consider whether the model is fit for purpose.
An auditor planning to use a maturity model in an assurance engagement should independently determine what “maturity level” of the model is
adequate to meet an objective.
Maturity models involve a certain level of subjectivity; therefore, caution is warranted when providing assurance to management that a process is
adequately controlled based on an assessment driven by a maturity model. Ask yourself these questions when considering using a model.
• Would following a model improve the probability that the outcome would be achieved?
• Would management have a false sense of confidence that the outcome would be achieved if an assessment — using the model — shows a high
state of process maturity?
Auditors should disclose in their report the source of the model, how the model was constructed, who participated in the construction of the model,
and why the auditor — and management, as appropriate — believes the selected model is valid for the process and objective under review.
Auditors should clearly assess the level of predictability they want their model to have.
Auditors should not assume that managers should seek to obtain the highest level of maturity for all maturity model components across all processes
being assessed. These may be too costly or risk adverse for the organization.
Care should be taken not to apply the model as a simple checklist. Auditors should always conduct their work in a way that will allow for the
identification of significant risks to the organization’s objectives. Accordingly, use of a maturity model does not preclude an auditor from the
responsibility to consider for the specific process under review what the model may be missing in terms of risk mitigation and control guidance.
Auditors — and management — must be cautious not to overstate the probability that a given level of process maturity will achieve a specified
outcome over time. Any language that purports to guarantee or ensure achievement of a specific outcome given that the process has met a given
state of maturity should be avoided.
Auditors should determine how the actual output metrics of the process under review should be provided in the report and validated as appropriate.
After applying the model, internal audit will want to periodically revisit how each of the model elements (levels, components, and expectations)
appears to be achieving the desired process outcomes.
Maturity Model Examples Example 1: Process Capability Maturity

Model
The following three models are examples that auditors can
A Fortune 100 company took the concept of the maturity
use as provided or leverage in the development of their
model and tailored it to the organization’s environment
own maturity models. The example models each use six
in the following example. The objective of the model is
components and five levels of maturity to address their
to address the overall process capability maturity across
objectives:
six process components: Strategic Planning/Financial
Management, Customer/Stakeholder Expectations, Risk,
Example 1: Fortune 100 Company Process Capability
Metrics, Human Capital, and Process Management/Self-
Maturity Model
assessment). This framework has been successfully ap-
plied for both high-level process reviews and detailed sub-
Example 2: Compliance and Ethics Program Maturity
process reviews. The model was constructed using input
Model
from experienced audit professionals as well as members
of an internal process consortium.
Example 3: Public Sector Internal Audit Capability
Maturity Model Management sets a target for each component (level 1
to level 5) and conducts a self-assessment. The internal
audit function then independently audits the process and
opines on the level of maturity. Management and internal
audit agree on the artifacts that demonstrate each level of
maturity.
Level 1 Level 2 Level 3 Level 4 Level 5

Notes Suggested Minimal ROI hurdle rate

Target Level does not justify all
processes achieving
this level.
General • Process is not • Process is more • Process is fully • Management decision- • Perfect service levels
Description formalized. formalized defined and executed making and continuous are achieved.
• Inconsistent (documented). consistently. improvement projects • Independently verified
execution. • Repeatable execution. • Adequate metrics are are based on data, as best in class.
defined to allow for metrics, and formal
• Management quality assurance/self- • Innovative ideas and
understands overall quality assurance/ techniques are piloted
self-assessment assessment feedback.
process. on an ongoing basis.
capabilities.
Process Capability Maturity Model

Strategic • Initiatives are • Initiatives are re- • Business unit/ • Strategic planning • 1-3 year strategic
Planning/ identified and evaluated annually. department/ process supports corporate planning initiatives
Financial tasks assigned. • Project milestones are strategic planning strategic plan in terms consistently meet
Management monitored. includes 1-3 year of customer growth, their milestone goals.
initiatives based segment profit margin, • Financial and
• Resources are on stakeholder competitive advantage
allocated and tracked. stakeholder
expectations. and strategic intent expectations are met.
• Financial, process, fulfillment.
• The strategic
human resource, and • Prioritization of plan incorporates
risk management resources and alternatives and
elements are included initiatives is based on options for long-term
in the planning. ROI or governance/ (3-6 year) industry
compliance and regulatory
requirements. changes.
Customer/ • Stakeholder • Process decision- • Key stakeholders are • Stakeholder feedback • Stakeholder feedback
Stakeholder expectations making is based identified. is collected via validates that the
Expectations are identified or on stakeholder • Expectations critical surveys, focus groups, process meets or
tracked informally. expectations and to quality satisfaction and innovative voice exceeds stakeholder
feedback. are documented. of the customer expectations.
methodologies. • Proactive initiatives
• Process success in
meeting expectations • Rework/mistakes are in place to
and feedback is impacting stakeholder minimize or eliminate
monitored. expectations have rework/mistakes.
improvement projects
underway.
Risk • Limited or no • At least annually, a • A comprehensive risk • Management formally • Resource allocation
risk assessment review of process assessment process is articulates risk ROI incorporates risk
occurring. risks is performed. developed that covers tolerance. assessment into the
• Risk is considered strategic, financial, • Specific mitigation prioritization process.
in project plans and compliance, and plans are implemented • Risks are mitigated
initiatives. operational risks. based on the below the risk
• Potential risk hazards assessment and cost/ tolerance goals set by
or opportunities are benefit analysis. management.
formally evaluated for • The risk assessment
likelihood and impact. is reviewed and
updated as appropriate
throughout the year.

Metrics • Few or no metrics • Key metrics are • Key metrics with • Key metrics, targets, • Key metric targets are
are identified, identified and target performance and measurement reached consistently
tracked, or measurement indicators are systems are re- for all areas.
reported. elements are identified for financial, evaluated and validated • Proactive activities
accurate. compliance, strategic, continuously for process are implemented so
• Methods are in place operational, human changes, resource gaps are not incurred
to track and report resources, and changes, and corporate between actual and
to management on a stakeholder attributes strategy initiatives. target.
continuous basis. (balanced scorecard). • Specific improvement
• Measurement of initiatives are developed
actual performance and prioritized for
to target metrics metrics not meeting
is accurate and performance goals.
communicated to
management and
associates.
Human Capital • A resource • The development • A formalized resource • Target metrics on • Key metric targets are
development process is formalized development workforce efficiency reached consistently
process does and documented process is executed and effectiveness for all areas.
not exist or is for all levels of consistently. are identified and • Proactive activities
informal. associates. • A formalized training measurement methods are implemented so
• A resource • Role descriptions program for all levels are in place for actual gaps are not incurred
training process and expectations is established and its results. between actual and
does not exist or are documented and completion is tracked. • Continuous target.
is informal. communicated. • A formalized improvement projects
• Training programs are succession plan and are initiated for
implemented. recruiting plan are in gaps between actual
place. performance and
targeted metric.
• Compensation
correlates to
documented
performance
management
expectations and
contributions.
Process Capability Maturity Model

Process • Processes and • Policies, high-level • Documentation • Key controls and control • Process
Management procedures are procedure documents, is maintained, execution standards documentation
and Self- not documented and basic templates communicated, and are tracked for current and controls
assessment or known exist that drive accurate. and new processes/ are proactively
informally. repeatable processes. • Standard evidence is products. developed and
• Controls are identified available, including • Formal quality validated before new
and noted in the a process control assurance through systems, products, or
documentation. management system, self-assessment is initiatives.
process narratives, executed regularly for • Proactive initiatives
and process flows. key processes. are taken based
• Documentation is • Record retention upon gaps identified
readily available for policies are in place through self-
outside audit without and monitored. assessments.
advance notice.
Example 2: Compliance and Ethics Program Maturity Model

This is adapted from a model published by The IIA’s Research Foundation (IIARF) that applies to an organization’s
compliance and ethics program.
Compliance and Ethics Program Maturity Attributes4
Attribute Initial Repeatable Defined Mature World Class
1. Code of Ethics • There is no formally • A code of ethics has • A comprehensive • The code of ethics • Specific compliance
documented code of been developed, code of ethics is reviewed as and ethics policies
How effectively ethics. but it may not be exists, was approved appropriate by are in place to
does the comprehensive or by the board, and outside legal support and provide
code outline • In general, there
are no other means current. is reviewed every counsel to ensure additional guidance
management’s two to three years it remains current on key components of
expectations of communicating • Experienced
management’s employees generally to determine what and appropriate. the code.
regarding ethical updates are needed. • The code of
conduct? expectations understand • Periodic focus groups
regarding ethical management’s • All employees must ethics is reviewed and/or surveys are
conduct. expectations sign off annually annually and conducted with
regarding ethical that they are in updated as a representative
conduct, but new compliance with the necessary. sample of employees
employees may not code of ethics. • All employees must to assess their
have any way of • New employees complete annual understanding
determining those must sign a questionnaires of the code of
expectations. document asserting that ask more ethics and their
that they have read probing questions perceptions on the
and understand the regarding level of compliance
code. compliance with throughout the
the code of ethics. organization.
4 Adapted from the IIA Research Foundation. Internal Auditing: Assurance & Consulting Services. Altamonte Springs, Fla.: IIARF, 2009.
Compliance and Ethics Program Maturity Model
2. Culture and • The organization • There are perceptions • The perception • Compliance and • Periodic surveys or
Consistency seems indifferent that compliance and is that senior ethics are topics focus groups are
to compliance and ethics are important. management takes at organization conducted to assess
How does the ethics. compliance and and department- the perception of
organization • The program was
• The program was developed to address ethics seriously and level meetings, the compliance and
perceive “walks the talk.” ensuring a ethics culture and
management’s developed by very few legal ramifications of
individuals with no noncompliance. • The program was consistent cultural make adjustments
commitment to message. when needed.
compliance? outside input. • Discipline is generally developed with
• There are perceptions left to the discretion input from legal, • The program was • Periodic input
of disciplinary of business and human resources, developed with is solicited from
inconsistencies and department and internal audit. input from various employees to help
“playing favorites.” managers and, as • Human resources is employee groups. improve the program.
• People are promoted such, is not always consulted to make • Disciplinary • Disciplinary actions
without formal consistent. sure disciplinary decisions involve are reviewed by an
consideration of • Although ethical actions are an appropriate independent group
ethical conduct. conduct seems to appropriate and mix of human (e.g., internal audit)
be considered, it’s compliant with resources, legal, to support the
• Events of regulations. and compliance consistency of such
noncompliance are not a part of job
descriptions. • Job descriptions personnel actions.
typically learned from to ensure
complaints versus • Events of non- include expectations • People are recognized
for ethical conduct. appropriateness for demonstrating
monitoring or audit compliance are and consistency.
activities. generally reported • Many employees ethical conduct.
timely, but there raise compliance • Job descriptions • Some
are few efforts questions before and interviews employees make
to report events they become a formally cover recommendations
before they become problem. ethical conduct. for improving the
noncompliant. • Employees feel compliance program.
empowered to
raise questions
about compliance
matters.
3. Awareness • Employees are • Employees are • There is widespread • Annual training • Communications
generally aware that aware the program employee awareness reinforces the occur regularly
How aware the program exists exists, went through of the program. program, with to remind/
are employees but are not sure how training once, and individual modules update employees
and outside • All employees went
to get information. intuitively know some through training in delivered in more on program
stakeholders of of the requirements depth. expectations.
the compliance • Employees aren’t the last three years.
familiar with specific contained in the • Employees know • The program is
and ethics program. • Employees know
program and its requirements. who the chief which individuals part of external
requirements? • Employees don’t know • Employees know who compliance officer are responsible sustainability
who manages the the chief compliance and the compliance for key compliance reporting conducted
compliance and ethics officer is, but not managers are. areas. annually.
program. others involved • Compliance with
in managing the • Stakeholders are
• Stakeholders know aware a program the program
compliance and and ethical
nothing about the ethics program. exists and can find
program. references on the expectations are
• Stakeholders assume company’s website. covered in the
a program exists but contracts with
don’t know anything vendors.
about it.
4. S tructure and • There is no formal • A compliance • A compliance and • Reporting by • An integrated

Accountability compliance and ethics officer has been ethics structure has compliance area monitoring plan has
program structure. designated, but the been established, officers to the been implemented
How effective responsibilities of the with accountability chief compliance that involves the
is the structure • Independent oversight
is nonexistent or position are not well- assigned to officers officer is timely chief compliance
for managing developed. responsible for and consistent. officer, compliance
the program ad hoc.
• Oversight and compliance areas. • The applicable area officers, and
and enforcing • Accountability is not internal audit.
accountability? defined. monitoring are • Oversight is defined board committee
inconsistent and from a senior receives quarterly • Sensitive or
• Investigations are reactionary. management and updates on significant
ad hoc. board perspective. compliance and investigations
• Accountability is
• Compliance risks are broadly understood, • Monitoring is ethics matters. are conducted in
not understood. but not formally established, • Internal audit has accordance with
documented. including internal a consistent plan the protocol by
audit and others. for auditing all individuals trained
• Investigations are in forensic and
typically conducted • There is a focal compliance risks.
investigation
by the appropriate point for determining • A formal techniques.
personnel. who should conduct investigation
investigations. protocol exists • Compliance risk
• Compliance risks are scenarios have been
generally understood • Compliance risks that outlines
appropriate identified, assessed,
but not formally and scenarios are and mapped to
documented. documented. resources to
use (internal compliance controls,
vs. external), and are updated at
documentation least annually.
requirements, and
how investigations
are closed.
• A formal
compliance risk
assessment has
been completed.
5. Process • There are no formal • There are some • Compliance and • Compliance and • The company has
Automation compliance and compliance and ethics controls and ethics controls established an
and ethics controls and ethics controls procedures are well and procedures integrated GRC
Integration procedures, although and procedures, documented and are an integral program that ensures
many employees know but they are not standardized across part of business compliance risks
How effectively intuitively how to act. consistent across the organization. processes. are managed to be
are compliance the organization nor consistent with the
and ethics controls • There is no formal • Compliance and • Many compliance
protocol for employees formally documented. ethics controls and and ethics organization’s risk
and processes appetite.
standardized, or outsiders to report • There is limited procedures are controls address
integrated, and suspected events of testing of the controls tested periodically key compliance • Event management
automated? non-compliance. and procedures in to identify gaps or risks as part of a software is used to
• Information/data place. weaknesses. governance, risk, ensure all key data
related to compliance • Employees generally • An external hotline and compliance is gathered and
and ethics is not understand that they is in place through (GRC) view of the the resolution of
available. can contact legal or which employees or program. events is completely
human resources if outsiders can report • There are multiple and consistently
they suspect an event suspected events of avenues through documented.
of noncompliance. non-compliance. which employees • GRC software is used
• Information/data • Some compliance or outsiders can to provide integrated
related to compliance and ethics controls report suspected information on the
and ethics events is are integrated with events of program.
difficult to compile. other business noncompliance, • Integrated technology
processes and and all follow a routines are run
automated to the consistent protocol regularly to prevent
extent supported by for gathering or detect timely
existing systems. information on potential compliance
the event and and ethics events.
• Some standard escalating it.
reports are
prepared related • A consistent test
to compliance and plan is used to
ethics events. ensure compliance
and ethics controls
and procedures
operate effectively.
• Technology is
used to aid in the
identification and
investigation of
compliance and
ethics events.
6. Goals and • No formal goals or • Although goals and • Broad compliance • Specific • All employees have
Metrics metrics exist or are metrics are not and ethics goals compliance and individual compliance
contemplated. formalized, employees are established and ethics goals are and ethics goals.
How is success generally understand communicated. integrated into
of the compliance • Metrics are
that the absence • Broad metrics the annual goal integrated into the
and ethics of compliance setting process for
program exist to measure overall performance
and ethics events the nature and each compliance measurement
measured? is indicative of a area.
frequency of process.
successful program. compliance and • Metrics are
ethics events. established for
each compliance
area.
Example 3: Public Sector Internal Audit Capability Maturity Model

In addition to applying the maturity model to different processes within the organization, internal audit also can perform
an assessment of its own processes by tailoring the maturity model framework. The example below is adapted from a
model published from The IIARF, which was built for assessing public sector internal audit departments but can easily be
adapted and applied to all sectors.
Internal Audit Capability Model Matrix5
Performance Organizational
Services & People Professional Governance
Management & Relationships &
Role of IA Management Practices Structures
Accountability Culture
Level 5 – • Internal audit • Leadership • Continuous • Public reporting • Effective • Independence,

Optimizing is recognized involvement with improvement of internal audit and ongoing power, and
as key agent of professional in professional effectiveness. relationships. authority of the
change. bodies. practices. internal audit
• Workforce • Strategic activity.
projection. internal audit
planning.
Level 4 – • Overall • Internal audit • Audit strategy • Integration of • CAE advises • Independent
Managed assurance on contributes to leverages qualitative and and influences oversight of the
governance, management organization’s quantitative top-level internal audit
risk development. management performance management. activity.
management, • Internal audit of risk. measures. • CAE reports
and control. actively supports to top-level
professional authority.
bodies.
• Workforce
planning.
Level 3 – • Advisory • Team building and • Quality • Performance • Coordination • Management
Integrated services. competency. management measures. with other review oversight of the
• Performance • Professionally framework. • Cost information. groups. internal audit
and value-for- qualified staff. • Risk-based • Integral activity.
• Internal audit
money audits. • Workforce audit plans. management component of • Funding
coordination. reports. management mechanisms.
team.
5 Adapted from the IIA Research Foundation. Internal Audit Capability Model (IA-CM) For the Public Sector. Altamonte Springs, Fla.: IIARF, 2009.
Public Sector Internal Audit Capability Maturity Model
Internal Audit Capability Model Matrix5
Performance Organizational
Services & People Professional Governance
Management & Relationships &
Role of IA Management Practices Structures
Accountability Culture
Level 2 – • Compliance • Individual • Professional • Internal audit • Managing within • Full access to the
Infrastructure auditing. professional practices operating budget. the internal audit organization’s
development. and process • Internal audit activity. information,
• Skilled people are framework. business plan. assets, and
identified and • Audit plan people.
recruited. is based on • Reporting
management relationships
and established.
stakeholder
priorities.
Level 1 – Initial • Ad hoc and unstructured; isolated single audits or reviews of documents and transactions for accuracy and compliance; outputs
dependent upon the skills of specific individuals holding the position; no specific professional practices established other than
those provided by professional associations; funding approved by management, as needed; absence of infrastructure; auditors
likely part of a larger organizational unit; no established capabilities; therefore, no specific key process areas.
5 Adapted from the IIA Research Foundation. Internal Audit Capability Model (IA-CM) For the Public Sector. Altamonte Springs, Fla.: IIARF, 2009.
Additional Resources For further in-depth analysis of maturity models, review

the paper titled: What Makes a Useful Maturity Model?
A Framework of General Design Principles for Maturity
Internal auditors may refer to other maturity models for Models and Its Demonstration in Business Process.
insights when developing their own models. The following
are a few examples. Jens Pöppelbuß, European Research Center for Infor-
mation Systems, University of Münster, Maximilian
IIA Path to Quality Model (PTQM) — The PTQM pro- Röglinger, FIM Research Center, University of Augsburg.
vides a framework for the CAE to assess the current state
of the internal audit activity’s quality capability, target an
appropriate level of quality capability for the activity, and
present the steps along a path for the audit activity to
reach its quality capability target. Categories consist of:
Beginning (1), Emerging (2), Conforming (3), Leveraging
(4), Leading (5).
RIMS Risk Maturity Model is a tool for executives in risk

management and others charged with risk management
responsibilities to develop sustainable enterprise risk man-
agement programs. Levels include: Ad Hoc (1), Initial (2),
Repeatable (3), Managed (4), and Leadership (5).
Software Engineering Institute (SEI) Capability Matu-

rity Models (CMM), an analytical adaptation of maturity
modeling for software engineering processes, people ca-
pability, process integration and other uses. Categories
consist of: Initial (1), Managed (2), Defined (3), Quanti-
tatively Managed (4), and Optimizing (5).
The International Standards Organization (ISO) and the

International Electrotechnical Commission (IEC) have
developed the ISO/IEC 15504, which is the reference
model for the maturity models (consisting of capability
levels that in turn consist of the process attributes and
further consist of generic practices) against which the
assessors can place the evidence they collect during their
assessment, so the assessors can give an overall deter-
mination of the organization’s capabilities for delivering
products (software, systems, IT services). The six levels
include: Incomplete (0), Performed (1), Managed (2),
Established (3), Predictable (4) and Optimizing (5).
About the Authors

and Reviewers
Author:
James Rose, CIA, CRMA, CPA
Reviewers:
Steven Jameson, CIA, CCSA, CFSA, CRMA
guidance.

247 Maitland Ave. F: +1-407-937-1101
130513
Talent Management
Recruiting, Developing, Motivating, and
Retaining Great Team Members
Practice Guide / Talent Management
Table of Contents
Executive Summary ........................................................................................................... 3

Introduction ........................................................................................................................ 5
Business Significance and Related Risks ................................................................... 5
Definition of Key Concepts .......................................................................................... 5
Related IIA Standards ................................................................................................. 6
Getting Started .................................................................................................................. 9
Understanding Stakeholder Needs and Expectations ................................................. 9
Assessing Compentencies .......................................................................................... 9
Recruiting Talent ............................................................................................................. 11
Internal Recruitment.................................................................................................. 11
External Recruitment ................................................................................................ 12
Candidate Selection .................................................................................................. 13
Outsourcing and Co-sourcing ................................................................................... 13
Developing Talent............................................................................................................ 14
Professional Development Plans .............................................................................. 14
Training and Continuing Education ........................................................................... 14
Mentoring .................................................................................................................. 15
Succession Plan ....................................................................................................... 16
Motivating and Retaining Talent ...................................................................................... 17
Rewards .................................................................................................................... 18
Flexible Work Practices ............................................................................................ 19
Talent Management and Quality Assurance and Improvement Program (QAIP) ...... 20
2
Executive Summary
Recruiting, motivating, and retaining great team members is recognized as one of 10

imperatives that will enable internal audit to drive success in a changing world. According to
The IIA’s 2015 Global Internal Audit Common Body of Knowledge (CBOK) study, internal audit
departments need to cast their nets wider to attract, motivate, and retain team members who
are able to understand and anticipate the rapidly changing business environment. Professional
development also plays an important role, and internal auditors should share responsibility for
their professional development with the internal audit activity. 1
The internal audit activity’s ability to address high-priority risks and drive business value is as
much affected by the right talent mix as the right staff size.
The first steps toward managing talent are to:

1. Assess stakeholder needs and expectations.
2. Develop an audit plan to meet stakeholder needs and expectations, with
consideration for organizational objectives, strategies, and risks.
3. Leverage the Global Internal Audit Competency Framework (Competency
Framework)2 to identify competencies required to execute the audit plan.
4. Perform a competency gap analysis.
5. Develop a talent management strategy.
6. Periodically reassess internal audit’s collective competencies and address key
gaps.
After assessing stakeholder needs and expectations, chief audit executives (CAEs) and
internal audit managers are involved in four key activities: recruiting, developing, motivating,
and retaining talent.
Collaborating with the organization’s human resources department, CAEs may recruit internal
and external candidates. Internal recruits bring organizational knowledge into the internal audit
activity but may lack internal audit core competencies. External recruits may enhance internal
audit’s collective competencies and bring a fresh perspective, but they may require more time
for onboarding, training on policies and procedures, and adapting to the organization’s culture.
Filling the gaps with outsourced or cosourced arrangements is an option when specific skills
are required. CAEs and internal audit managers should consider having outsourcing and
cosourcing plans and arrangements in place to facilitate execution.
1
Larry Harrington and Arthur Piper, Driving Success in a Changing World: 10 Imperatives for Internal Audit, The IIA
Research Foundation (IIARF), 2015.
2
The IIA’s Global Internal Audit Competency Framework, The Institute of Internal Auditors, Inc. (IIA), 2013.
3
CAEs and internal audit managers should motivate team members and develop talent on a
continuous basis to address gaps identified during the assessment process. E-learning may
provide more flexibility and lower costs than traditional classroom training. On-the-job training
is a traditional approach in internal auditing and provides practical experience to individuals
with diverse backgrounds. Mentoring programs, and financial and nonfinancial rewards and
incentives complement training and further motivate team members.
Investment in recruiting, developing, and motivating talent should lead to higher levels of
retention. To further strengthen these talent management activities, CAEs and internal audit
managers should consider implementing a talent management “plan, do, check, act”3
continuous improvement process, and ensure best practices are included in internal audit’s
quality assurance and improvement program (QAIP).
The purpose of this practice guide is to help CAEs and internal audit managers better
understand how to recruit, develop, motivate, and retain competent team members.
3
http://balancedscorecard.org/Resources/Articles-White-Papers/The-Deming-Cycle
4
Introduction
Business Significance and Related Risks
The collective competencies of the internal audit staff directly influence the efficiency and
effectiveness of the internal audit activity. Recognizing this, The IIA Research Foundation
(IIARF) released The IIA’s Global Internal Audit Competency Framework in 2013 to define the
core competencies needed to meet the requirements of the International Professional
Practices Framework (IPPF). In turn, competent internal auditors can better help the internal
audit activity and the organization at large achieve their objectives.
Talent management shortcomings may potentially expose the internal audit activity to the
following risks:
 Having insufficient resources to implement the audit plan, as agreed to by the board.
 Having insufficient skills to perform an engagement with the necessary level of
proficiency and due professional care.
 Not being able to conform with The IIA’s International Standards for the Professional
Practice of Internal Auditing (Standards), adversely affecting internal audit’s brand
and reputation.
Definition of Key Concepts
Board – The highest level of governing body responsible for directing and overseeing the
activities and management of the organization. Typically, this comprises an independent group
of directors, such as a board of directors, a supervisory board, or a board of governors or
trustees. If such a group does not exist, the “board” may refer to the head of the organization.
The “board” also may refer to an audit committee to which the governing body has delegated
certain functions.4
Competency – Refers to the knowledge, skills, and experience needed in the performance of
internal audit services.5
Talent management – Refers to recruiting, developing, motivating, and retaining competent

team members.
The IIA’s Global Internal Audit Competency Framework – A tool that defines core
competencies needed to meet the requirements of the IPPF for the success of the internal
audit profession. The framework outlines 10 core competencies to be demonstrated by each of
4
The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards).
5
Kurt F. Reding et al., Internal Auditing: Assurance & Advisory Services, Third Edition p. 2-8 (IIARF, 2013).
5
three broad job levels — internal audit staff, internal audit management, and the CAE. Core
competencies include6:
I. Professional ethics: Promotes and applies professional ethics.

II. Internal audit management: Develops and manages the internal audit function.
III. IPPF: Applies the International Professional Practices Framework (IPPF).
IV. Governance, risk, and control: Applies a thorough understanding of governance,
risk, and control appropriate to the organization.
V. Business acumen: Maintains expertise of the business environment, industry
practices, and specific organizational factors.
VI. Communication: Communicates with impact.
VII. Persuasion and collaboration: Persuades and motivates others through
collaboration and cooperation.
VIII. Critical thinking: Applies process analysis, business intelligence, and problem
solving techniques.
IX. Internal audit delivery: Delivers internal audit engagements.
X. Improvement and innovation: Embraces change and drives improvement and
innovation.
Related IIA Standards
1200 – Proficiency and Due Professional Care
Engagements must be performed with proficiency and due professional care.
1210 – Proficiency
Internal auditors must possess the knowledge, skills, and other competencies needed to
perform their individual responsibilities. The internal audit activity collectively must possess or
obtain the knowledge, skills, and other competencies needed to perform its responsibilities.
1210.A1 – The chief audit executive must obtain competent advice and
assistance if the internal auditors lack the knowledge, skills, or other
competencies needed to perform all or part of the engagement.
1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of
fraud and the manner in which it is managed by the organization, but are not
expected to have the expertise of a person whose primary responsibility is
detecting and investigating fraud.
6
The IIA’s Global Internal Audit Competency Framework, 2013.
6
1210.A3 – Internal auditors must have sufficient knowledge of key information

technology risks and controls and available technology-based audit techniques to
perform their assigned work. However, not all internal auditors are expected to
have the expertise of an internal auditor whose primary responsibility is
information technology auditing.
1210.C1 – The chief audit executive must decline the consulting engagement or
obtain competent advice and assistance if the internal auditors lack the
knowledge, skills, or other competencies needed to perform all or part of the
engagement.
1220 – Due Professional Care
Internal auditors must apply the care and skill expected of a reasonably prudent and
competent internal auditor. Due professional care does not imply infallibility.
1220.A1 – Internal auditors must exercise due professional care by considering

the:
o Extent of work needed to achieve the engagement’s objectives;

o Relative complexity, materiality, or significance of matters to which assurance
procedures are applied;
o Adequacy and effectiveness of governance, risk management, and control
processes;
o Probability of significant errors, fraud, or noncompliance; and
o Cost of assurance in relation to potential benefits.
1220.A2 – In exercising due professional care, internal auditors must consider

the use of technology-based audit and other data analysis techniques.
1220.A3 – Internal auditors must be alert to the significant risks that might affect
objectives, operations, or resources. However, assurance procedures alone,
even when performed with due professional care, do not guarantee that all
significant risks will be identified.
1220.C1 – Internal auditors must exercise due professional care during a

consulting engagement by considering the:
o Needs and expectations of clients, including the nature, timing, and

communication of engagement results;
o Relative complexity and extent of work needed to achieve the engagement’s
objectives; and
o Cost of the consulting engagement in relation to potential benefits.
7
1230 – Continuing Professional Development
Internal auditors must enhance their knowledge, skills, and other competencies through
continuing professional development.
1300 – Quality Assurance and Improvement Program
The chief audit executive must develop and maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity.
1310 – Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement program must include both internal and external
assessments.
1311 – Internal Assessments
Internal assessments must include:
o Ongoing monitoring of the performance of the internal audit activity; and

o Periodic self-assessments or assessments by other persons within the organization
with sufficient knowledge of internal audit practices.
2030 – Resource Management
The chief audit executive must ensure that internal audit resources are appropriate, sufficient,
and effectively deployed to achieve the approved plan.
8
Getting Started
Before recruiting talent, the CAE should understand stakeholder needs and expectations, and
perform a competency assessment.
Understanding Stakeholder Needs and Expectations
Stakeholder needs and expectations of internal audit are changing.
 External auditors are relying more on the work performed by internal audit.
 Investors are demanding more transparency from organizations.
 Regulators are increasing their scrutiny over governance and risk management
practices.
Meeting such needs and expectations requires that internal audit expand its traditional
compliance and control evaluation/testing focus to include becoming a strategic adviser to the
organization. To serve in this role, internal auditors must demonstrate competence in
analytical/critical thinking and communication skills — the top skills that CAEs are seeking for
staff.7
Assessing Competencies
To meet stakeholders’ expectations and requirements, the internal audit activity needs to
ensure it has access to the full range of competencies articulated in the Competency
Framework. The CAE should assess whether the internal audit activity collectively has the
competencies needed to fulfill its mission and meet stakeholder expectations. Focus should be
on the competencies needed to address emerging risks, high-priority risks, and primary
business value drivers, not solely on the number of auditors needed to staff the activity.
A competency assessment should be based on a systematic and structured process, including

the following steps:
1. Assess the needs and expectations of primary stakeholders such as the audit
committee, board, senior management, external auditors, investors, and
regulators. This step is critical in defining internal audit’s organizational structure,
deliverables, working practices, communication protocols, and resourcing model.
2. Develop an audit plan that meets stakeholder needs and expectations with
consideration of the organization’s objectives, strategies, and risks. The audit plan
should be aligned with the organization’s business objectives and value drivers.
7
Larry Harrington and Arthur Piper, Driving Success in a Changing World: 10 Imperatives for Internal Audit,
IIARF, 2015.
9
CAEs should leverage information such as organizationwide or business-unit

strategic plans to assess internal audit’s future role in providing assurance and
consulting services, and its need for talent.
3. Leverage the Standards and the Competency Framework to identify competencies
needed to execute the audit plan, such as having basic fraud and IT knowledge
and being able to perform their engagements with due professional care.
4. Assess internal audit’s current collective competencies and identify gaps when
compared with competencies needed to execute the audit plan and core internal
audit competencies.
5. Develop a talent management strategy. The CAE should develop this strategy for
the internal audit activity based on the gap analysis. To best serve internal audit’s
long-term interests, core competencies should be acquired through hiring and
professional development. Ad hoc competencies required for specific assurance
and consulting engagements could be acquired through alternative strategies such
as rotational and guest auditor programs or cosourcing. In addition, the talent
management strategy should consider potential constraints such as budget,
internal audit brand/reputation, the labor market, and the desirability of the
organization’s location.
6. Periodically reassess internal audit’s collective competencies and address key
gaps.
10
Recruiting Talent
Internal Recruitment
Full-time Permanent Recruitment

Internal recruitment may result in acquiring talent with high-level organizational awareness and
strong business knowledge. However, internal recruits may need additional training to develop
core audit skills. In addition, impaired objectivity may be a potential concern. Effective training
programs, supervision, and thoughtful assignment planning can help to mitigate such
concerns.
Rotational Recruitment
Rotational programs provide a training ground for internal candidates from other departments
while filling talent gaps in internal audit. Rotational programs can be outbound or inbound:
 Outbound rotational programs rotate internal auditors out of internal audit and into
other business units. Rotating out gives internal auditors the opportunity to enhance
their business knowledge in other functional areas.
 Inbound rotational programs rotate employees from other business units into internal
audit for a limited time. Inbound programs provide an opportunity for high-performing
staff members outside of internal audit to learn about governance, risk management,
and internal control practices.
Rotational programs also facilitate the sharing of best practices and potentially increase
awareness of internal control and the role of internal audit among business-unit staff.
The primary challenges associated with inbound rotational programs are potential impairment
to individual objectivity, providing audit skills training to inbound employees, and scheduling.
Additional concerns include the possible disruption to career development paths and the lack
of organizational support.
Tips to successfully implement an inbound rotational program include:
 Obtain commitment and support from other business units.

 Promote the benefits of the program through the organization’s intranet, bulletin
boards, and other communication vehicles.
 Coordinate with human resources to identify viable candidates.
 Assess candidates’ qualifications against desired competencies. Select a pool of
candidates to participate in the program.
11
 Develop a process to onboard selected candidates. The process should include

providing an overview about the program; the internal audit activity’s vision, mission,
and charter; the Standards; and standard operating policies and procedures.
Guest Auditor Program

A guest auditor program can be used to fill competency gaps for specific audit engagements.
This provides an opportunity for personnel from other parts of the organization to make a
short-term commitment to internal audit. A guest auditor typically serves as a subject matter
expert on a unique internal audit engagement, enhancing knowledge sharing within the
organization.
Tips for implementing a guest auditor program include:
 Enable the guest auditor to interact with internal audit staff to collaboratively identify
mutually beneficial opportunities.
 Provide the guest auditor with preparatory materials before the start of the audit
engagement, such as information about the internal audit activity, broad business or
market information, inherent risks, and other information applicable to the guest
auditor’s assignment.
 Solicit feedback from the guest auditor and other internal auditors on the
engagement team, during and after the assignment. Evaluate performance and
satisfaction with the guest auditor program and share such information with human
resources, the guest auditor, the guest auditor’s manager, and internal audit
management.
External Recruitment
External recruitment finds talent from outside of the organization. External talent may be
sourced from public accounting firms, internal audit activities at other organizations, colleges
and universities, and areas outside of the traditional internal audit domain.
 Candidates from public accounting firms (external auditors) typically have high-level
audit expertise and may have broad industry experience. However, conflicts of
interest can arise if candidates are recruited from the organization’s public
accounting firm. The CAE should be aware of any restrictions on recruiting from the
organization’s public accounting firm.
 Candidates from internal audit activities at other organizations may have relevant
internal audit competencies, but still require onboarding and training to become
familiar with the new organization’s culture, processes, regulatory requirements, and
dynamics.
12
 Undergraduate or Master of Business Administration candidates may require more

focused training, supervision, and on-the-job experiences to reach satisfactory levels
of performance. However, college recruits also provide exisiting staff members the
opportunity to develop their internal audit management competencies as they train,
coach, and supervise entry-level internal auditors.
An organization’s internship and co-op programs also could be a beneficial source of talent.
Candidate Selection
Job descriptions should be clearly defined and a standard set of competency-based interview
questions should be used consistently with all candidates. This standardization and
consistency helps to establish baseline criteria from which to evaluate a pool of candidates.
Tips for candidate selection include:
 Ensure that human resources has a high-level understanding of internal audit’s role
and need for talent, and that desired competencies are reflected in the job
description.
 Coordinate with human resources to leverage the organization’s intranet and
websites, general job boards, professional association job boards, and recruiting
agencies to search for potential candidates.
 Screen candidates by assessing their relevant competencies and alignment with the
organization’s espoused values. Verify candidate experience and qualifications, and
completebackground checks, as applicable.
 Prepare competency-based interview questions, ensure that interviewers are
knowledgeable of legal constraints (i.e., types of questions or answers to avoid), and
trained in conducting behavioral or competency-based interviews, as appropriate.
Outsourcing and Co-sourcing
Internal audit activities may engage outside personnel to perform tasks that require specialized
expertise. Outsourcing and cosourcing require more planning and preparation to help external
personnel understand how the organization operates. For more information, see Imperatives
for Change: The IIA’s Global Internal Audit Survey in Action8 and the IIA Position Paper, The
Role of Internal Audit in Resourcing the Internal Audit Activity.
8
See Imperative 9 in Richard J. Anderson and J. Christopher Svare, Imperatives for Change: The IIA’s Global Internal
Audit Survey in Action, pp. 37-38, IIARF, 2011.
13
Developing Talent
The CAE should align internal audit’s talent development approach with the organization’s
professional development practices. Efforts to develop talent typically include professional
development plans, training and continuing education, and mentoring.
Professional Development Plans
Individual professional development plans require staff members to take ownership of their
professional development, and may include formal agreements that outline specific activities,
target accomplishments, and time lines. A professional development plan may support a
particular career path identified by the organization or by the individual internal auditor. For
example:
 Career internal auditor: Career internal auditors pursue internal audit as a long-term
profession, often with the goal of achieving a management position within an internal
audit activity or developing expertise in a specialized field such as fraud or IT. This
career path might include rotating in and out of internal audit as a way to enhance
the career internal auditor’s organizational knowledge.
 Business operations: Internal auditors may serve in audit to gain a broad and deep
understanding of the organization’s business operations, risk management, internal
controls, and governance. They then leverage this experience to seek operational
roles.
 Executive leadership: A rotation through internal audit may be part of an
organization’s executive leadership development program.
Individual development plans should include a path toward certification so that collectively,
internal audit staff certifications form a base level of qualifications for the internal audit
department.
One-size-fits-all professional development practices are not effective for all employees.
Practices should be customized based on generational differences, professional goals,
position, experience, and seniority. Professional development plans should be reviewed and
updated as necessary.
Training and Continuing Education
Internal audit can meet its professional development plan goals through various training and
continuing education activities, such as on-the-job training, classroom training, e-learning, and
other methods. Audit leaders should consider the needs of the individual as well as the internal
audit activity. The best result generally can be achieved through a combination of activities.
14
Internal audit should develop its training plan based on an assessment of staff competencies
against the Competency Framework. The plan should meet the collective needs of the internal
audit activity as well as the professional development needs of individual internal auditors.
On-the-job Training
On-the-job training can be highly effective, especially for new staff members. It provides them
with hands-on experience performing internal audit tasks. In addition, on-the-job training can
help new staff members learn about core business processes and tasks performed by second
line of defense functions such as risk management and compliance.
Internal audit should define, communicate, and periodically assess its desired on-the-job
training outcomes. On-the-job training should include ongoing feedback and coaching from
experienced team members.
Classroom Training
Classroom training is a common training method. Many organizations have in-house training
programs to provide specific training based on job roles and responsibilities. For example,
training may cover the organization and its processes, the regulatory framework governing the
organization’s business, and other governance structures. Training also could include specific
technical skills for internal auditors such as data analytics and fraud control. IIA chapters and
institutes often offer or provide technical training to their members.
Workshops are a special form of classroom training that require a higher level of individual and
group participation. Depending on participant interaction, this approach may work best when
participants already have a certain degree of experience and knowledge.
E-learning
E-learning may be delivered by internal as well as external providers. It provides greater
flexibility for scheduling and does not require travel or absence from the office. The main
disadvantage is minimal interaction with the facilitator and other participants.
Assessing Training Options

Reading and writing articles for professional publications, attending professional conferences,
and networking are other types of ways to gain internal audit knowledge and skills. Different
types of training and continuing education activities have varying costs. Mapping professional
development plans against the internal audit plan can help the CAE establish a training budget
that supports successful talent management.
Mentoring
A mentoring program can be key to developing talent, not only for new hires but also for more
experienced staff. Mentoring programs should be largely informal, with consideration given to
the following:
 A mentor must be more experienced than the mentee.
15
 Each auditor may be assigned a mentor.

 It is best if the mentor is not the individual’s supervisor.
 Meetings between the mentor and the mentee should be informal, without official
documentation.
Succession Plan
Succession planning should start well in advance of any potential employment event.
Succession plans should identify potential candidates for existing positions, taking into
consideration the needs of the organization and the candidates’ career goals, competencies,
and potential for development.
Potential candidates could be approached regarding their interest in possible succession

opportunities. Interested persons then could be developed for future roles and responsibilities
and, where appropriate, could be given the opportunity to fill more senior positions during
periods of temporary absence.
16
Motivating and Retaining Talent

Figure 1
Potential motivators can be mapped
 Challenging work
against Maslow’s hierarchy of needs9,
as illustrated in Figure 1.  Personal responsibility
Self-Actualization  Opportunity for creativity
Although it is important to find the best Needs  Achievement in work
combination of motivators for each  Recognition & Praise
individual, challenging work, career  Promotion & Bonuses
opportunities, quality of work
 Social recognition
environment, and recognition  rather
 Job title
than compensation  are leading Self Esteem Needs
drivers of staff retention. Rewards and  High status of job
recognition, flexible working practices,  Feedback from the job itself
and work–life balance all can be  Work groups / teams
potential motivators of retention. Social Needs  Supervision
Retention also can be affected by  Professional associations
other individual and team incentives.
 Health & Safety
Efforts to motivate individuals may Safety Needs  Job security
include:  Contract of employment
 Compensation
 Helping staff members find
Physiological Needs  Benefits
meaning in their work and
 Working conditions
establishing a connection
to their work. Ensuring that work itself aligns with employees’ expectations and
needs.
 Helping staff members set and achieve their goals.
 Mentoring and counseling.
 Developing career and performance management plans.
 Using appropriate techniques to improve or change behavior.
 Specifying standards and expectations and designing appropriate performance
evaluation tools.
 Explaining the consequences of any mistakes or inappropriate behavior.
 Undertaking regular formal and informal performance evaluations.
 Providing appropriate compensation and benefits.
9
A.H. Maslow, “A Theory of Human Motivation,” Psychological Review, 1943.
17
Factors that motivate teams may include:
 Shared vision and well-understood strategies.

 Clearly established team goals.
 Clearly defined team roles and responsibilities.
 Clearly understood rules and channels.
 Supportive team behaviors.
 Well-defined ground rules and decision-making processes (e.g., delegating
authority, encouraging team empowerment).
 Balanced participation (i.e., proportionate assignment of tasks within the team).
 Awareness of group processes.
 Solid brand/reputation of internal audit within the organization.
Rewards
People should feel recognized for their contributions and supported in their individual
aspirations. Transparent processes for rewarding staff members should be established, such
as:
 Establishing criteria that define which behaviors or actions will be

rewarded/recognized.
 Making recognition eligibility open to all employees.
 Consistent application of rewards to all who qualify.
Recognition should occur as close to the performance as possible, so that it reinforces

behavior. A reward should always be preceded by recognition, but recognition can be given
without the reward.
Rewards may be financial and be representative of the organization’s compensation, bonuses,

and incentives scheme. However, not all organizations will be able to grant financial rewards,
and some organizations may prefer nonfinancial rewards, such as:
 Increasing responsibilities for the employee who proves potential. However, take
care to ensure that additional responsibilities are seen as a reward rather than a
burden.
 Appointing the employee to be a team leader.
 Exposing the employee to engagements that require advanced competencies to
execute the audit.
 Enrolling the employee in certification programs.
18
 Inviting the employee to facilitate engagement opening/closing meetings, make a

presentation to the audit committee or board, or participate on a special team
project.
 Publicly recognizing employee performance in staff/office meetings.
Flexible Work Practices
Flexible work practices can help retain talent. Flexibility can be offered formally or informally, in
accordance with the organization’s local and national practices. In implementing flexible work
practices, CAEs should pay special attention to balancing employee workload with
engagement and business needs. They should still expect internal audit staff to comply with
internal policies and confidentiality standards, especially when working remotely.
 Occasional flexible work time should be assessed on a case-by-case basis,
depending on the internal auditor’s role (i.e., manager, team leader, staff) and
engagement requirements.
o Flexible hours – allow employees a temporary variance of starting/ending
times, based on a specific need that best fits their schedule.
o Remote work – different locations may be more suitable for completing tasks
and assignments, including working from home. Such requests should be
discussed and agreed upon in advance with the team leader or CAE.
Working remotely can help internal audit staff balance personal and
professional commitments. However, the team leader or CAE must ensure
that relevant tools and technology are provided and used appropriately,
timely and quality work is produced, and professional standards are
observed.
 Long-term flexible hours:
o Long-term change of starting/ending working times can be beneficial to staff
members and provide incentive for talent retention. However, nonstandard
working hours should be aligned to the internal audit activity’s needs.
o Long-term remote work, aligned with the internal audit activity’s needs, may
provide incentive for talent retention.
o Part-time work – reduction of working hours with corresponding adjustment of
compensation and benefits may appeal to some staff members.
o Reduced work hours for people with care-giving responsibilities – a special
type of part-time working arrangement to help staff members care for a
member of their immediate family — can be an attractive incentive to stay
with an organization.
19
 Unpaid leave – this incentive, which may be allowed as long as there are no
obstacles, could appeal to staff members who value free time or extended time off.
Examples include unpaid vacation and sabbatical leave.
 Social responsibility leave — some organizations may grant staff members
optional paid days off to perform social responsibility activities such as charitable
endeavors.
Talent Management and Quality Assurance and Improvement Program (QAIP)
Talent management is related to The IIA’s 1200-series standards on proficiency and due
professional care, and should be addressed in the internal audit activity’s quality assurance
and improvement program (QAIP). As an ongoing and periodic assessment of the entire
spectrum of audit and consulting work performed by internal audit,10 a QAIP promotes
continuous improvement.
Figure 2
A continuous improvement model popularized by W.
Edwards Deming,11 is the Deming Cycle, which consists
of four steps — plan, do, check, act — as illustrated in Act Plan
Figure 2.
The Deming Cycle can be applied to talent management

as part of the QAIP. Although each CAE should determine
how to best assess the quality of the internal audit
activity’s talent management processes, some examples
follow: Check Do
Plan: Documentation of talent management objectives.
 Internal audit activity attracts candidates with the necessary skills and talent to
complete the audit plan.
 Internal audit staff receives sufficient and appropriate training.
 Internal audit activity develops and retains its staff as needed and at all levels.
 Internal audit meets stakeholder needs and expectations.
10
Practice Advisory 1310-1: Requirements of the Quality Assurance and Improvement Program.
11
http://balancedscorecard.org/Resources/Articles-White-Papers/The-Deming-Cycle
20
Do: Activities to define quality and build staff awareness.
 All training activities are planned, authorized, and documented. Criteria should be
tailored to fit the specific internal audit activity. Factors to consider are size and
complexity of the organization, industry, maturity level of the internal audit activity,
and specific challenges (e.g., no changes in staff in the last two years, low
competency ratings by senior management).
Check: Assessment and reviews to measure quality, including:
 Ongoing monitoring.
 Periodic self-assessment.
 External assessment.
For example, ongoing monitoring might be addressed as follows:
On a quarterly basis, managers document training activities for all team

members by type, content, cost, and number of days. Performance metrics
such as the average number of training days per team, and the minimum and
maximum number of training days completed, are compared to defined
benchmarks.
Ongoing monitoring should be part of internal audit’s overall performance management

system — for example, in the form of a balanced scorecard. Performance management
systems provide a good basis for efficient performance of internal and external
assessments.
Act: Improvement initiatives and lessons learned.
The Act step is crucial, as it allows for the continuous improvement of the internal audit activity.
This step relies on appropriate implementation of each of the other steps, as illustrated in this
example:
Ongoing monitoring reveals that IT audit staff completed an average of eight

days of training in the previous year. Further analysis shows that cost was the
determining factor in the number of training days completed. An internal
assessment also indicates that IT management is not fully satisfied with IT audit
coverage of new technologies such as cloud computing and social media. As a
consequence, management of the internal audit activity decided to increase the
target IT auditor training requirement to 12 days annually for the next two years.
The training budget will remain the same. The IT audit manager will explore
possibilities to arrange cost-efficient, in-house training for central and important
topics such as Internet security. For cloud computing and social media, high-
quality training courses will be identified and IT auditors will be selected to
21
attend. At the same time, the IT audit manager will organize a workshop with his
team to explore possibilities for effective, low-cost professional development
(e.g., Web-based training, Internet research, stronger participation at IT-specific
IIA chapter activities/meetings).
This example shows not only the diverse improvement activities resulting from the Deming
Cycle, but also how they can lead to the next Deming Cycle with improved performance of the
internal audit activity. Here, the objectives formulated in the Plan step should be reevaluated
but probably do not need to be changed. Certainly there is a need to change the criteria in the
Do step. For IT audit, the criterion will be: “On the average, IT audit staff are getting 12 days of
training per year.” Also, for IT audit, an additional criterion could be added: “IT management is
fully satisfied with IT audit coverage of new technologies.”
22
Authors:
Ana Figueiredo, CIA, CRMA
Fabiano Castello, CIA, CCSA, CRMA
Hans-Peter Lerchner, CIA
John Mickevice, CIA, CRMA
Max Haege
Ruxandra Billius, CIA, CRMA
Reviewers:
Rune Johannessen, CIA, CCSA, CRMA
Sally-Anne Pitt, CIA, CGAP
Takuya Morita, CIA
Tuncay Efendioglu, CIA, CCSA, CFSA, CRMA
Bruce Turner, CGAP, CRMA
23
About the Institute

Springs, Fla. For more information, visit www.globaliia.org / www.theiia.org.

Practice Guides
Practice Guides are a type of Supplemental Guidance that provide detailed guidance for conducting internal
audit activities. They include detailed processes and procedures, such as tools and techniques, programs,
and step-by-step approaches, as well as examples of deliverables. As part of the IPPF Guidance,
conformance with Practice Guides is recommended (non-mandatory). Practice Guides are endorsed by The
IIA through formal review and approval processes.
A Global Technologies Audit Guide (GTAG) is a type of Practice Guide that is written in straightforward
business language to address a timely issue related to information technology management, control, or
security.
Disclaimer
Copyright
December 2015
24
– Practice Guide
››ASSESSING
ORGANIZATIONAL
GOVERNANCE
IN THE PUBLIC SECTOR
››
›› OCTOBER 2014
Table of Contents
Executive Summary............................................................................................................. 1
Introduction......................................................................................................................... 1
Public Sector Characteristics............................................................................................ 4
Public Sector Structure................................................................................................... 5
Public Sector Accountability........................................................................................... 5
The Public Sector Governance Roles and Responsibilities............................................... 6
Considerations by Specific Governance Process or Structure........................................ 7
Assessing Organizational Governance..............................................................................12
Additional Resources........................................................................................................ 25
Appendix — Board Risks, Control Objectives, and Practices........................................ 27
Author, Contributors, and Reviewer................................................................................. 30
Executive Summary • Enterprise risk management.

• Ethics.
Assessing organizational governance in the public sec- • Compliance.
tor requires a firm understanding of the characteristics,
structure, and accountability processes prevalent in in- • Organizational accountability.
ternational, national, regional, and local governments. At • Monitoring.
the same time, governance structures and processes must • IT governance.
be customized according to the organization’s complex-
ity and political, cultural, economic, and regulatory en- Public sector governance audits are often high-profile,
vironments. Regardless of the nature of the organization, sensitive in nature, and a matter of public record. Ade-
a principles-based approach to assessing organizational quate staffing, appropriate supervision, and quality assur-
governance will help auditors provide assurance that the ance are critical throughout the process.
public is being well-served.
Responsibilities for governance are shared among the

Introduction
board, senior management, and the audit function. The In 2012, The IIA released Assessing Organizational Gov-
board bears primary responsibility for organizational governance in the Private Sector, a practice guide designed
ernance and often delegates implementation responsi- to provide chief audit executives (CAEs) in the private
bilities to senior management. The chief executive also sector with direction on how to assess and make recom-
sets the tone at the top, establishing a foundation for mendations for improving governance. This public sector-
good governance. Audit functions provide public sector focused practice guide:
organizations with assurance and advisory services by
monitoring and reporting on the effectiveness of gover- • Adapts Assessing Organizational Governance in the
nance processes. Private Sector to suit the unique needs of the public
sector.
Auditors should prepare for the assessment process by
• Is designed to help public sector boards, audit com-
developing a deep understanding of the organization’s
mittees, CAEs, and audit staffs assess governance.
governance context, including identifying key stake-
holders and their governance requirements. After the • Is intended to be fully applicable to government and
context has been defined, major steps in the assess- all publicly controlled or publicly funded agencies,
ment process include gathering documents, reviewing enterprises, and other entities that deliver public
processes and structures, establishing an assessment programs, goods, or services.
criteria and maturity model, developing an audit plan, The public sector organization’s board is responsible for
and finally, planning and completing engagements. governance oversight. The CEO is responsible for non-
board governance processes. An effective audit function
Performing the assessment will require auditors to gath- that is independent, objective, and proficient; uses sound
er evidence from and consider processes and structures assurance processes and practices; and conforms to the
related to: International Standards for the Professional Practice of In-
ternal Auditing (Standards), is qualified to assess gover-
• The board and audit committee. nance and provide assurance on governance effectiveness
• Strategy. to the board.
A Principles-based Approach Related IIA Standards and Guidance

Public sector governance should be customized to align The International Professional Practices Framework
with the organization’s complexity and geographic, politi- (IPPF) outlines the following Standards pertaining to
cal, cultural, economic, and regulatory environments. To governance.
address a wide spectrum of needs, this practice guide pro-
vides guidance that focuses on universal good principles Standard 2110: Governance
of governance. The internal audit activity must assess and make appro-
priate recommendations for improving the governance
“Because governments throughout the world are struc- process in its accomplishment of the following objectives:
tured differently — with different and possibly overlap-
ping mandates and jurisdictions — no single governance • Promoting appropriate ethics and values within the
model applies to public sector organizations. Nevertheless, organization;
certain governance principles are common across the pub- • Ensuring effective organizational performance
lic sector. Common principles of corporate governance en- management and accountability;
compass the policies, processes, and structures used by an
• Communicating risk and control information to
organization to direct and control its activities, to achieve
appropriate areas of the organization; and
its objectives, and to protect the interests of its diverse
stakeholder groups in an ethical manner.”1 • Coordinating the activities of and communicating
information among the board, external and internal
Taking a principles-based approach, audit functions can
auditors, and management.
assess governance across different systems of govern-
ment including international governments, national and 2110-A1
state governments, government agencies, state-owned
The internal audit activity must evaluate the design, im-
enterprises, and municipalities. Boards, audit commit-
plementation, and effectiveness of the organization’s eth-
tees, CAEs, and audit staffs may need to supplement this
ics-related objectives, programs, and activities.
guidance with additional, in-depth or rules-based guid-
ance in specific areas applicable to their organizations 2110-A2
and jurisdictions.
The internal audit activity must assess whether the infor-
Business Significance and Related Risks mation technology governance of the organization sup-
ports the organization’s strategies and objectives.
Governance is the processes and structures implemented
by the board to inform, direct, manage, and monitor the Related IPPF practice advisories and practice guides pro-
organization’s activities toward achieving its objectives. viding additional guidance on governance include:
Strong governance systems increase the likelihood that
organizations will meet their objectives and stakeholder Practice Advisories
expectations. The organization faces risks to achieving ef-
fective governance, and the board is responsible for im- • PA 2110-1: Governance: Definition
plementing governance processes and structures. While • PA 2110-2: Governance: Relationship With Risk and
the board remains accountable for governance, it may del- Control
egate certain governance responsibilities to management. • PA 2110-3: Governance Assessments
Board-level governance risks are outlined in the Appendix.
1
Supplemental Guidance: The Role of Auditing in Public Sector Governance,
2 / www.globaliia.org/standards-guidance The IIA, 2012.
Practice Guides in maintaining effective controls by evaluating their ef-

• Auditing Executive Compensation and Benefits fectiveness and efficiency and by promoting continuous
improvement.
• Assessing Organizational Governance in the Private
Sector Related IPPF practice advisories and practice guides pro-
• Evaluating Corporate Social Responsibility/Sustain- viding additional guidance on control include:
able Development
• Evaluating Ethics-related Programs and Activities Practice Advisories
• Global Technology Audit Guide (GTAG) 4: • PA 2130-1: Assessing the Adequacy of Control
Management of IT Auditing, 2nd Edition Processes
• GTAG 15: Information Security Governance • PA 2130.A1-1: Information Reliability and Integrity
• GTAG 17: Auditing IT Governance • PA 2130.A1-2: Evaluating an Organization’s Privacy

Framework
Standard 2120: Risk Management Practice Guides
The internal audit activity must evaluate the effectiveness • GTAG 1: Information Technology Risks and Controls,
and contribute to the improvement of risk management 2nd Edition
processes.
• GTAG 2: Change and Patch Management Controls:
Related IPPF practice advisories, practice guides, and Critical for Organizational Success, 2nd Edition
a position paper providing additional guidance on risk • GTAG 8: Auditing Application Controls
management include:
• GTAG 9: Identity and Access Management
Practice Advisories • GTAG 12: Auditing IT Projects
• PA 2120-1: Assessing the Adequacy of Risk • GTAG 14: Auditing User-developed Applications
Management Processes • The Guide to the Assessment of IT Risk (GAIT)
• PA 2120-2: Managing the Risk of the Internal Audit Methodology
Activity • GAIT for IT General Control Deficiency Assessment
Practice Guides • Auditing External Business Relationships
• Internal Auditing and Fraud • Auditing Privacy Risks, 2nd Edition
• GTAG 10: Business Continuity Management Other IIA Guidance
• GTAG 13: Fraud Prevention and Detection in an • Supplemental Guidance: Public Sector Definition
Automated World
• Standard 1300: Quality Assurance and Improvement
Position Paper Program
• The Role of Internal Auditing in Enterprise-wide • Standard 1312: External Assessments
Risk Management
• Standard 2400: Communicating Results
Standard 2130: Control • Practice Advisory 2400-1: Legal Considerations in
The internal audit activity must assist the organization Communicating Results
Definitions of Key Concepts Public governance refers to preconditions to run (govern)

a jurisdiction — processes and structures necessary to en-
This practice guide uses the following definitions for gov-
sure that the government can stay in power until the end
ernance and governance-related terms:
of its mandate, implement public policies, have smooth
Control — Any action taken by management, the board, relationships with legislative and judiciary powers, and
and other parties to manage risk and increase the likeli- pass on administration to the next government.
hood that established objectives will be achieved. Man-
agement plans, organizes, and directs the performance Organizational governance is derived from the corporate
of sufficient actions to provide reasonable assurance that governance experience and deals with the specific orga-
objectives will be achieved (Standards). nizations that comprise the public sector. Organizational
governance addresses how organizations should be struc-
Governance involves the set of relationships among the tured to mitigate or eliminate conflicts of interest between
organization’s stakeholders, interest groups, citizens, their personnel and the citizens that the organizations rep-
board, and management. These relationships are framed resent.
by laws, rules, and requirements, and provide the struc-
ture through which the objectives of the organization are Risk Management — A process to identify, assess, man-
set, the strategies to achieve those objectives are defined, age, and control potential events or situations to provide
operating plans are prepared, performance is monitored, reasonable assurance regarding the achievement of the
and information is communicated transparently among organization’s objectives (Standards).
the parties.2
Public Sector — In general terms, the public sector con- Public Sector Characteristics
sists of governments and all publicly controlled or pub-
licly funded agencies, enterprises, and other entities that Public and private sector organizations differ considerably
deliver public programs, goods, or services. Public sector with regard to governance. Generally, public sector gover-
governance includes two domains: public governance and nance is more rigid and under greater regulatory burden.
organizational governance. Table 1 outlines the major differences.
Table 1: Public vs. Private Sector Organizational Characteristics
ORGANIZATIONAL CHARACTERISTIC PUBLIC SECTOR PRIVATE SECTOR

Main Organizational Purpose Protect/Serve Public Interest Maximize Shareholder Value
Creation Law Incorporation Acts
Governing Board/Audit Committee/Senior
Governance Structure Shareholders/Board of Directors/Audit Committee
Official
Finance Taxes/Revenues Ownership/Debt/Revenues
Operational Rules Formal/Rigid/Law Formal/Flexible/Informal
Accountability Citizenry/Legislature Shareholders/Stakeholders/Regulators
Present/Potential Shareholders, Stakeholders, and
Outside Communication Open/Public
Regulators
Control Systems Rigid Flexible
For a more detailed discussion of governance context in the public sector, see The IIA’s
2
The Role of Auditing in Public Sector Governance and the International Federation of
4 / www.globaliia.org/standards-guidance Accountants’ (IFAC’s) Governance in the Public Sector: A Governing Body Perspective.
Public Sector Structure Public Sector Accountability

The public sector structure includes the general govern- Assessing governance structure and practices requires an
ment (core government and agencies), and public corpo- understanding of public sector accountability. Public sec-
rations (state businesses and enterprises). This practice tor accountability is summarized in Figure 2.
guide is intended to be fully applicable to general gov-
ernment public sector entities. Public corporations’ ob- Figure 2– Example of Overall Accountability Process in the
jectives and conformations lie somewhere between the Public Sector3
public and private sectors. Therefore, auditors in public
corporations should refer to this practice guide in con-
junction with the practice guide, Assessing Organizational
Independent LEGISLATURE Transparency
Objective
Governance in the Private Sector, to potentially develop Information
Co ons ility
Re unta ting
a hybrid approach for assessing governance. Figure 1 de-
nfe ib
Au sibi d
Ac Rep
sp
Re dit lity
on re
co or
rre ility
sp fer
picts a representative public sector structure.
d
Re Con
rt
b
po
Figure 1– Public Sector Structure Audit
LEGISLATIVE EXECUTIVE
AUDITOR Acknowledgment of
Responsibility
PUBLIC SECTOR
In democratic governments, the executive function is
responsible for planning, directing, and controlling daily
General Government Public Corporations operations, while the legislature is responsible for autho-
(Core Government (State Business and rizing the executive budget and government expenditures.
and Agencies) Public Enterprise)
The legislative auditor audits and reports on the perfor-
mance of the executive branch.
International Financial Public Nonfinancial Public In many national governments, legislative auditors are es-
Government Corporations Corporations
tablished as supreme audit institutions (i.e., independent
government external auditors). In regional and local govern-
ments, auditors may play a dual role — helping to improve
National Monetary Public Corporations, the government (i.e., an audit function role), and providing
Government Including Central Bank the legislature with timely and relevant reports for control
purposes (i.e., an external assurance provider role).
Regional Nonmonetary Financial Public

In this particular accountability environment, it is impor-
Government Corporations tant that public sector auditors recognize the importance of
effective communication channels with legislative external
assurance providers. Management-approved communica-
Local
tion between audit function and external assurance provid-
Government ers helps to ensure public accountability. The audit com-
mittee is one of the main mechanisms to help facilitate this
communication.
3
Office of the Auditor General of Canada training material. Reproduced
with the permission of the Minister of Public Works and Government www.globaliia.org/standards-guidance / 5
Services, 2014.
The Public Sector Governance ship and senior management should ensure that gover-
nance policies, procedures, and programs exist and are
Roles and Responsibilities followed, and that there is compliance with applicable
laws, regulations, and codes.
The Board
The board is the focal point for effective organizational Audit Function
governance. It is the link between the stakeholders and Public sector audit functions can provide their organiza-
the organization’s executive management, and it bears pri- tions with governance assurance and advisory services.
mary responsibility for governance. The board: The audit function charter should state that the audit
function’s scope includes all governance activities and
• Sets the organization’s strategic objectives and pro- processes. However, this does not mean that auditors are
vides the leadership to put them into effect. required to perform audits of all governance activities
• Directs and provides oversight of the executive and processes. The audit function should be positioned
leader and senior management. appropriately within the organization and staffed with
• Establishes appropriate risk levels. proficient professionals.
• Approves and monitors entitywide ethics, operation- The audit function can play numerous roles in assessing
al, and compliance standards and policies. and contributing to the improvement of organizational
• Institutes effective control systems. governance. For example, auditors can:
• Provides transparent, complete, clear, and timely
• Provide advice on ways to improve the organization’s
communication to stakeholders.
governance practices if they are not mature.
The board’s actions are subject to laws, regulations, and
• Contribute to the organization’s governance structure
the needs of stakeholders. The board typically delegates
through internal audits, even if those audits are not
significant authority for the day-to-day operations to an
focused specifically on governance.
executive leader (CEO) and the executive leadership
team. To be effective, the board should be independent, • Act as facilitators, assisting the board in governance
engaged, and committed. self-assessments.
• Observe and either informally or formally assess
Management governance, risk, and control structural design and
The organization’s executive leadership and senior man- operational effectiveness, while not being directly
agement are accountable to the board. Top management responsible for them.
is ultimately responsible for implementing the organiza- The appropriate role for the audit function and the
tion’s governance system, as directed by the board. The resource commitment to each of these roles depends
CEO sets the tone at the top for the integrity, ethics, and largely on the maturity of the governance system and
conduct that will contribute to an effective governance the organization’s size and complexity. The CAE should
environment. This tone is imparted to the executive lead- discuss and reach an agreement with the board on the au-
ership team, which in turn cascades organizationwide. dit function’s role in assessing organizational governance.
The CEO and executive management should “walk the
walk” to ensure that a positive governance culture exists
throughout the enterprise. In addition, executive leader-
The focus of the remainder of this practice guide is on over, the organization’s legal documents specify the roles
providing formal assessments of organizational gover- and responsibilities of the board, senior management, and
nance. Recognizing that there could be sensitivities to as- other organizational bodies and functions.
sessing and reporting on some board- and executive-level
governance activities, board-level support and, if needed, The audit committee is an important governance tool to
sponsorship for assessments should be obtained as part of help the board discharge its responsibility for establish-
the periodic audit planning process. ing and monitoring an adequate governance system within
the organization. Audit committees can be seen as com-
Considerations by Specific plementary vehicles that can improve communication and
coordination between top management — including the
Governance Process or Structure governing board — and the audit function, which is pri-
marily responsible for assessing the organization’s internal
Board and Audit Committee control, risk management, and governance structures.
The board should be satisfied that there is an effective
governance system in place. To that end, it should en- The main desirable characteristics of an effective audit
sure that it is fulfilling all of its governance responsibili- committee are the independence and competence of
ties, the right governance processes are in place within its members. These features empower audit committee
the organization and operating effectively, and transparent members to seek explanations and information about cru-
communication exists between the organization and its cial issues related to accountability and operational and
stakeholders. The board should discuss the state of the financial performance. The audit committee can help en-
organization’s governance system and seek input from the sure that accepted internal audit recommendations are
three levels of assurance providers: operating or line man- followed up and taken into serious consideration by senior
agement, organizationwide functions, and independent management.
activities such as the audit function. The board should
sponsor periodic evaluations and continuous improve- Leading practice guides for audit committees usually ad-
ment of governance practices. This can be done through dress these areas: mandate, composition, independence,
self-assessments and obtaining assistance from the audit members’ capability requirements, and reporting. Some of
function or external assurance providers. A highly compe- these best practices include:
tent and well-positioned audit function can assist with a
board’s self-assessment and can provide reliable assurance • An oversight mandate should be set out in a writ-
on the organization’s internal governance practices. ten charter. At a minimum, the audit committee
oversight mandate should encompass areas such as
The exact role of the board is determined by the pow- values and ethics, governance arrangements, risk
ers, duties, and responsibilities delegated to it or con- management, management control framework,
ferred upon it by applicable law and is typically specified audit activities and other external assurance provid-
in the organization’s articles, bylaws, charters, rules, or ers, financial statements, and public accountability
other similar documents. Usually, the organization’s legal reporting.
documents specify the number of members of the board, • The composition of public sector audit committees
how they are to be chosen, the frequency and mode of varies, but a minimum requirement of three mem-
meeting, and how decisions are to be made. The bylaws bers is considered a general rule.
primarily contain what is prescribed in legislation. More-
• Independence requirements are usually considered Strategies can exist at different levels of an organization.
to be met when most of an audit committee’s mem- They start at the overall organizational level and cascade
bers come from outside the government. down.
• Capability requirements include, among other Organizational Strategy — The highest level strategy,
things, inquisitiveness, outspokenness, courage, organizational strategy is concerned with the overall pur-
sound judgment, objectivity and integrity, a healthy pose and scope of the organization to meet stakeholder
constructive skepticism, a high level of ethics, and expectations. This is the most critical level because it is
strong communications skills. Financial, control heavily influenced by stakeholder budgetary allocation
framework, governance, and management expertise and acts to guide strategic decision-making throughout
also are highly desirable, if not necessary. the organization.
In assessing audit committee performance, government
auditors should focus on a three-pillar framework: Subsidiary Strategies — Strategies that are concerned
with how the organization will successfully operate in par-
• Assessing compliance with charter obligations. Does ticular areas. Subsidiary strategies involve decisions about
the audit committee discharge its responsibilities as choice of services to be delivered, meeting community
stated in the charter? needs, influencing political agendas, and exploiting or cre-
• Assessing the participation of audit committee mem- ating new opportunities.
bers. Is there a formal and effective assessment of
each member’s performance and contribution to the Operational Strategies — At the operating level, strate-
audit committee? gies are focused on how each activity or function will de-
liver organizational and subsidiary strategies. Compared to
• Assessing value-added activities pursued and out-
organizational and subsidiary strategies, operational strat-
comes achieved. Does the audit committee add value
egies are much more detailed and focused on resources,
to the organization by facilitating well-informed and
processes, people, etc. All material discrete activities and
effective decision-making, promoting and monitoring
functions should have operational strategies.
an ethical culture, implementing an effective system
of risk oversight and management, implementing
What are some conditions of satisfaction that can be used
an effective and efficient internal control system,
to evaluate strategies? Strategies should:
promoting effective communication with internal
and external auditors and responding appropriately to • Be developed through a disciplined process and sup-
matters they raise, and promoting high-quality inter- ported by the best available information.
nal and external reporting of financial and nonfinan-
cial information? • Be commonly understood by organizational person-
nel.
Strategy • Serve as a platform for all major decisions.
Strategic planning is an organization’s process for defining • Enhance stakeholder value.
strategies for achieving its objectives, as well as making
decisions on allocating resources to pursue its strategies. • Align with other strategies, both top-down and across
Simply put, strategic planning outlines where an organiza- the organization.
tion is going over the next few years and how the entity • Be clearly reflected in objectives, structures, and
proposes to get there. operations at all levels.
• Enable alignment of measurement and rewards. which to base the assessment. Two of the most widely
• Eliminate redundancies. used are ISO 31000, Risk Management–Principles and
Guidelines and COSO’s Enterprise Risk Management–
• Be documented.
Integrated Framework.
• Manage/maintain risks within risk tolerance limits.
• Allow risk expectations to be well understood by For guidance on assessing risk management, see The IIA
stakeholders such as regulators, interest groups, citi- practice guide, Assessing the Adequacy of Risk Manage-
zens, rating agencies, and capital markets. ment Using ISO 31000.4 That practice guide presents
three potential approaches:
In performing an assurance engagement, the audit func-
tion should assess whether each of the above conditions • Process elements — Are all the elements of a
are present. The assessment is generally not intended to sound risk management process in place?
directly question the strategies themselves, but rather, to • Key principles — Does the risk management pro-
assess the strategic-planning process and how well the cess satisfy a minimum set of principles?
strategies have been communicated and adopted through-
out the organization. • Maturity model — How mature are the elements
of the risk management process? The practice guide
Enterprise Risk Management (ERM) includes a basic risk maturity model.
Generally, the board will delegate the operation of the The auditor should look at the qualitative aspects of risk
risk management process to the organization’s executive management and formal processes. For example, the qual-
leadership team. Structures may vary depending on the ity of the risk policy or risk universe is as important as
size, complexity, and maturity of the organization, and its having one in place.
commitment to risk management. For example, in a small
organization with risk-conscious managers and a high de- Ethics
gree of communication about risks, there may be no need Senior management members have primary responsibility
for a formal structure. In a large organization, the struc- for promoting strong ethics. The tone at the top, as indi-
ture may consist of a single individual with a staff that cated by their actions, as well as by their formal and in-
owns the identification, assessment, and monitoring pro- formal communications, is critical. These actions include
cesses and coordinates, along with top and middle man- their own behavior and how they respond when key em-
agement, risk management activities. Some organizations ployees such as other executives or “the best salesman,”
have assigned specific risk management activities to the behave unethically. Operating managers set the tone in
audit function. The IIA position paper, The Role of Inter- their own areas, which may or may not be consistent with
nal Auditing in Enterprise-wide Risk Management, pro- that of the organization as a whole.
vides guidance on permitted roles, roles that may be ap-
propriate with safeguards, and prohibited roles. Of great Ethical standards in areas such as gift giving differ cultur-
importance is ownership of risks. Regardless of the roles ally. Global organizations should decide whether and how
an audit function may play, it should not own any risks much to adapt their global standards to the local culture,
other than risk within the audit activity. while being fully cognizant of all applicable laws and regu-
lations, and make this clear to all concerned.
There are several risk management frameworks or stan-
dards to choose from in establishing the criteria upon
See “Additional Resources” for a link to this guidance.

4
The audit function should promote ethical behavior and assessment, or integrated into audits that focus more
may function in roles such as chief ethics officer, com- directly on business operations or support activities.
pliance officer, or member of an ethics council, as long
as such a role does not compromise the audit function’s Compliance
independence. For more guidance on this matter, refer to Compliance and ethics are closely related and are some-
the IIA position paper: The Three Lines of Defense in Ef- times evaluated together. The preceding section on ethics
fective Risk Management and Control. applies to compliance as well. This section presents ad-
ditional considerations.
Standard 2110.A1 states: “The internal audit activity must
evaluate the design, implementation, and effectiveness of The term “compliance,” particularly when referring to a
the organization’s ethics-related objectives, programs, and compliance function, normally refers to compliance with
activities.” Evaluating the design might require develop- laws and regulations, rather than compliance with internal
ing and agreeing with management on criteria, perhaps by policies and procedures. Audit functions should consider
research and benchmarking similar programs. Evaluating the need for technical assistance — for example, from the
the implementation will be similar to doing so for other organization’s legal department or an outside third party
activities. Evaluating whether the programs are having the — when evaluating legal and regulatory compliance.
desired effect requires an evaluation of the ethical climate
itself. The compliance function, if one exists, might be the sub-
ject of an audit. However, the scope should go beyond the
Evaluating the ethical climate is sensitive and can be activities of the function itself. The effectiveness of the
highly subjective. To succeed, auditors should: function is determined by the awareness of, and commit-
ment to, compliance by employees whose work could be
• Get sponsorship and agreement on the evaluation noncompliant. If the CAE is responsible for the compli-
methods from the board and senior management. To ance function, this audit should be strongly considered
the extent possible, get buy-in from those who might as a candidate for outsourcing to an external assurance
be subject to criticism as a result of the review. provider.
• Consider using a maturity model for the evaluation,
because no ethical climate is completely good or bad. If there is no designated compliance function, auditors
• Consider using self-assessment methods such as sur- should determine and assess the methods by which the
veys or workshops, in which employees evaluate the organization fosters compliance knowledge and commit-
climate they work within and the ethical behavior of ment in its employees.
management and other employees. Whenever pos-
sible, validate the results of these methods with more Organizational Accountability
tangible evidence. If they cannot be validated, make The organization’s board and management derive their
this clear in reporting, and work with management to authority from its key stakeholders. Accountability is im-
determine the reasons for employees’ perceptions of perative to make executive management and staff answer-
the climate. able for their behavior and responsive to the organization’s
Like other governance activities, ethics can be assessed as key stakeholders. This may be achieved differently in
part of a comprehensive review of governance, as a stand- different countries or political structures, depending on
alone project that contributes to the overall governance the history, cultural milieu, and value systems involved.
The mechanisms used may vary from audit covenants at Monitoring should be based on an analysis and prioriti-
one level to broadly elected legislatures or more narrowly zation of risks to achieving organizational objectives and
conceived consultative committees at another. the means by which those risks are mitigated. Monitoring
efforts over process-level risks should include consider-
Accountability also means establishing criteria to measure ations for:
the performance of the board and management, and over-
sight mechanisms to ensure that the standards are met. • Relevance.
The litmus test is the process by which the stakehold- • Reliability.
ers can act to address inappropriate actions and reward • Adaptability to address new or changing risks.
exemplary performance. This can be a sensitive area for
internal audit to review and underscores the importance • Accuracy.
of the appropriate level of support and sponsorship. • Objectivity.
• Completeness.
When assessing accountability, the audit function
• Cost-effectiveness.
should consider:
• Timeliness.
• The organization’s legal or legislative appointment, • Usefulness.
legal structures, and applicable laws and regulations.
• Communication and reporting content.
• Formal and comprehensive “delegated authorities”
and “powers reserved.” IT Governance
• Documented acknowledgement of their account- According to the Standards, IT governance consists of
abilities by key personnel. leadership, organizational structures, and processes that
• Processes to monitor accountabilities and corrective ensure that the enterprise’s IT supports the organization’s
actions taken when accountabilities are not met. strategies and objectives.
Monitoring IT governance is an extension of organizational gover-

There are several different monitoring and measurement nance. As with all governance, there is no one-size-fits-
systems in use today. Regardless of the nature, size, type, all solution. Effective IT governance should be a cohesive
form, or specialization, organizations tend to be interested and integrated process aligned with the business, compat-
in the same general aspects of performance: financial, cli- ible with the management decision-making style and cul-
ent, internal services operations, societal, special interest ture, and perceived by business management to be pro-
groups, employee, leadership, and stakeholder satisfaction. viding value. The board has oversight responsibility for IT
governance. The CAE should ensure that IT governance
By definition, the purpose of monitoring is to provide the is included in the annual program of audits.
board and management with early indications of progress
being made, or not made, in achieving the organization’s Several widely recognized IT governance frameworks may
objectives. Monitoring enables and assists the board and be used in establishing the criteria for assessing IT gover-
management in making timely decisions. Also, monitoring nance. These include:
provides a means for holding people accountable and en-
ables the organization to continually improve performance. • ISO 38500, Corporate Governance of Information
Technology. This international standard is applicable Process outlined in Figure 3 should be followed.
to all types and sizes of organizations. It is built
around six principles: responsibility, strategy, acquisi- Gather Governance Documents
tion, performance, conformance, and human behav-
Governance should be tailored to comply with mandatory
ior.
requirements and best fit the organization’s risk profile.
• COBIT 5. The fifth edition focuses on governance Records that document governance requirements and the
activities that operate at the board and executive organization’s processes and structures to meet those re-
level. It is organized in three domains aligned with quirements include:
ISO 38500: evaluate, direct, and monitor.
• GTAGs are IPPF practice guides that provide • Laws and regulations — These tend to establish
detailed guidance for conducting audit activities.5 minimum governance requirements.
Written in clear and concise business language, • Organizational policies, procedures, bylaws, and
GTAGs provide guidance for the more detailed parts operating agreements.
of an IT governance review. • Governance codes or preferred practices promulgat-
• IT Infrastructure Library (ITIL) is a worldwide de ed by an influential body related to the governance
facto standard for service management and contains of the organization. These codes can be mandatory,
broad, publicly available professional documenta- strongly recommended, or optional.
tion on how to plan, deliver, and support IT service
features. Some of the core publications are: Service Other resources useful in identifying governance pro-
Strategy, Service Design, Service Transition, and cesses and structures include any documented evidence
Service Operation. of customs, behaviors, and stakeholder expectations that
exist in the organization’s operating environment. If gov-
Assessing Organizational ernance documentation is inadequate, the board should
be notified and given an initial opportunity to strengthen
Governance governance.
The starting point for audit function’s assessment is to Review Governance Processes and Structures
gain an understanding of the organizational context for
governance. Efforts to understand the context include Governance processes and structures should be reviewed
identifying the key stakeholders and their requirements, as part of the assessment process and on a regular basis.
and determining how the organization defines governance. Auditors should keep in mind that there is no one-size-
The CAE should work with the board, the audit commit- fits-all governance framework or model. By design, the or-
tee, and the executive management team, as appropriate, ganization’s governance processes and structures should
to determine how governance should be defined for audit respond to the requirements identified in the preceding
purposes. After the context has been defined, major steps section.
or phases of the Organizational Governance Assessment
Figure 3 – Organizational Governance Assessment Process
Review Establish Plan and

Governance Assessment Develop Periodic Complete
Gather Governance Governance
Documents Processes and Criteria and a Governance
Structures Maturity Model Audit Plan Engagements
12 / www.globaliia.org/standards-guidance 5
See “Additional Resources” for a link to this guidance.
Governance processes and structures may come under • Additional practices generally retained by the board,
the purview of the board or management, depending on which may include:
the nuances of the organization, the particular process or ›› Selecting, monitoring, evaluating, compensating,
structure, and the level of the process or structure. The and retaining the CEO and other key members of
following generic, yet comprehensive, list of governance senior management.6
processes and structures can help audit functions ensure
that they include all relevant activities in their governance ›› Providing strategic guidance to the CEO and
review. Governance processes and structures listed are senior management.
grouped at the board level and within the organizational ›› Reviewing and approving objectives and impor-
(non-board) level, and include both quantitative (e.g., tant organizational plans and actions.
compliance metrics), and qualitative (e.g., tone-at-top) ›› Making decisions on major transactions (trans-
measures. Together, board and organizational process- formational transactions) before submission to
es and structures form a governance umbrella over the stakeholders for approval.7
organization’s operations.
›› Reviewing and approving major changes in
Board-level Governance Processes and accounting and audit principles and practices.8
Structures ›› Declaring dividends and approving share-repur-
• Board and committee structure, charters, roles and chase programs.9
responsibilities, processes, and reporting. ›› Resolving cross-organizational issues.
• Board and committee activities — calendars, meet-
ing agendas, meeting papers, minutes and reports of Organization-level Governance Processes and
meetings, follow-up actions, and self-assessments of Structures
board and committees’ governance practices. • Setting objectives.
• Board and committee composition, including selec- • Developing strategies, operating plans and
tion, induction, ongoing education and training, budgets, organizational structures, and management
remuneration, and protection of members. committees.
• Board and committee oversight areas, including • Assigning authority and responsibilities organization-
objective-setting, strategies, structures, operating wide.
plans, budgets and capital allocation, CEO, ERM,
• Defining behaviors, codes of ethics, and conduct,
ethics and integrity, delegated authorities, perfor-
including conflict of interest, fair dealing, protection
mance measurement and results, compensation
and appropriate use of assets, insider dealings, viola-
and rewards, policies and procedures, compliance,
tion reporting (hot lines), and disciplinary actions.
decision-making, stakeholder communication such
as financial reporting and disclosures, reputation, • ERM to include internal control, fraud risk manage-
unpredictable events, and other organizational ment, and IT governance.
governance practices. • Compliance with laws, regulations, and mandatory
• Assurance practices, including external, financial, and optional codes, where adopted.
regulatory, and the audit function. • Monitoring and performance measurement.
6
In some jurisdictions, compensation and retention of public sector top management is
not at the discretion of the board.
7
This type of process approval is more familiar to state-owned enterprises.
8
This is one of the main audit committee attributes.
9
Only applicable to state-owned enterprises. www.globaliia.org/standards-guidance / 13
• Ensuring effectiveness of assurance providers Establish Assessment Criteria and a

within the organization, particularly operational Governance Maturity Model
management that serves as the first line of defense
Governance maturity models may be used to identify, de-
for a sound system of internal controls and enter-
fine, and evaluate assessment criteria gleaned from the
prisewide activities, such as risk management and
review of governance records, processes, and structures.
compliance, which serve as a second line of defense.
To develop an organization-specific maturity model, the
• Communication up, down, and across the organization. CAE should review available models for the organization’s
• Processes that ensure effective communication with country, sector, and industry, and consider the governance
stakeholders, interest groups, and citizens. documents and issues specific to the organization. A draft
maturity model should be discussed and agreed on with
• Capital acquisition and allocation.10
senior management and the board, including the audit
• Capabilities — people selection, development, and committee.
retention.
• Transformational transactions. In addition to establishing relevant and reliable criteria to
• Cross-organization issues. measure governance effectiveness, maturity models can
be used to:
• Organizational responsibility and sustainability.
• Evaluation and rewards, and salary and incentive • Evaluate governance effectiveness.
compensation. • Develop plans for improving the organization’s
• Organizational processes for assessing the perfor- governance structures, processes, and arrangements,
mance and independence of external assurance either taken as a whole or by individual governance
providers, including the nature and extent of non- process (e.g., ERM, compliance, and internal audit).
audit services obtained.11 These plans are particularly useful when varying
levels of maturity exist or are desired among different
The audit function itself is a key governance tool. Its ef- processes.
fectiveness in providing assurance to stakeholders is
critical to effective governance. The board and the audit • Track improvement progress.
committee should look to the CAE for periodic reports • Benchmark governance best practices.
on the internal audit activity’s quality assurance and im- • Map governance activities to those responsible for
provement program and ensure that the program provides their design and operating effectiveness.
for an independent assessment at least every five years, as
mandated by Standard 1312: External Assessments. The Audit activities should conclude this phase of the assess-
CAE should ensure that the reports of independent as- ment process by validating its understanding of gover-
sessors are provided to the board. In addition, the board nance processes, structures, and assessment criteria with
should draw its own conclusions on the effectiveness of the board and related committees.
the audit function.
10
More applicable to, but not limited to, state-owned enterprises.
11
More applicable to state-owned enterprises, which, in most jurisdictions, have
their financial statements audited by private sector independent auditors. In most
jurisdictions, government organizations other than state-owned enterprises have
their financial accounts and operations audited by supreme audit institutions, which
14 / www.globaliia.org/standards-guidance generally have functional and administrative independence protected by law.
Develop a Periodic Governance Audit Plan • Effective governance relies on internal controls and
communication to the board on the effectiveness of
The CAE should use a risk-based approach in defining the
those controls.
scope of the governance assessment or assessments. It is
important to consider the nature of the organization (i.e., • Control and risk also are related. Control is defined
system of government, international government organiza- as “any action taken by management, the board, and
tions, national and state government organizations, agen- other parties to manage risk and increase the likeli-
cies, state-owned enterprises, and municipalities) and the hood that established goals will be achieved.”
context within which it operates. The risks to achievement
of organizational objectives for which comprehensive gov- Audit Plan Approach
ernance processes and structures should be in place will Governance/risk/control relationships and the nature of
be greatest in large, complex, highly regulated organiza- the organization’s governance process and structures will
tions and organizations in multiple jurisdictions. help the CAE to determine the best approach to develop-
ing the audit plan. The best approach may be one or a
Developing a periodic governance audit plan requires:
combination of the following approaches:
• Discussion of any special circumstances with the
board. • Audits of specific governance processes and struc-
tures such as those listed in the Review Governance
• Consideration for relationships among governance,
Processes and Structures section on page12.
risk management, and control.
• A single audit including all processes and structures
• Selection of an audit approach.
that focus specifically on governance. This approach
• Consideration for reliance on other assurance providers. might be most practical in small organizations or as
a high-level review to determine whether additional
Discussion of any special circumstances with the board
processes and structures are needed and whether
will provide general board and audit committee insights
the existing processes and structures, taken together,
to help frame the overall audit plan. The sections below
give the board all the information it needs to fulfill
detail additional information on governance/risk/control
its governance responsibilities.
relationships, audit plan approach, and reliance on other
assurance providers. • Incorporating governance in audits that focus more
directly on operations or support activities. In this
Governance, Risk Management, and Control approach, a component of each audit would include
Relationships the interface of the governance processes and struc-
tures with the audited operation or activity. Gover-
A periodic plan for auditing governance should consider
nance audit work at the operations and support activ-
the relationships among governance, risk management,
ity levels will provide detailed information to internal
and internal controls. As outlined in PA 2110-2: Gover-
audit about how well governance is understood and
nance: Relationship With Risk and Control:
practiced throughout the organization. Over time,
• Effective governance activities consider risk when and if desired by the board, the audit function may
setting strategy. Conversely, risk management relies be able to assess the state of governance within the
on effective governance (e.g., tone at the top, risk ap- organization as a whole, using this work as a basis for
petite and tolerance, risk culture, and the oversight that opinion.
of risk management).
The CAE should discuss and agree with the board on The CAE should obtain board input to ensure that the
which approach or combination of approaches will be most highest risk non-board governance processes and struc-
effective for the organization. To implement the selected tures are included in the internal audit plans. Many boards
approach, the CAE should review the audit universe and categorize organizational risks into strategic, operational,
modify it as necessary to ensure that governance processes reporting, and compliance categories. The CAE should
and structures are included, for example: work with the organization’s risk management profession-
als to identify possible discussion points with the board.
• If the decision is to audit specific governance
processes and structures, these processes and The CAE also should determine the board’s expectations
structures should be identified and included as for audit function governance assessment deliverables.
auditable entities in the audit universe. Examples of potential deliverables include:
• If the decision is to perform a single audit including
all processes and structures that focus specifically • An overall opinion on the effectiveness of
on governance, these processes and structures will governance processes and structures.
become an auditable entity. • Opinions on the effectiveness of specific governance
• If the decision is to include governance in audits attributes.
that focus more directly on business operations or • Reports with recommendations for improvement that
support activities, modifying the audit universe will do not include an opinion.
be more difficult. Ideally, the CAE will identify the The board might prefer assessments based on a maturity
governance processes and structures within each au- model, with the maturity of each governance attribute
ditable entity and include them when assessing risk measured against specific criteria. The board can then
for each entity. This might not be feasible, though, compare the actual and desired levels of maturity for each
because identifying those processes and structures attribute, identify strengths and gaps, and get a more com-
might be a major project in itself. In this case, it plete and balanced picture of the ethical climate than an
might be more practical to require the audit teams to audit opinion provides.
identify and evaluate those processes and structures
during the audits they perform. Auditors will have to Some of the planned audits may be sensitive. It is im-
add time for this additional work to each audit. After portant that the audit plan is reviewed with the board in
some time — perhaps a year — auditors will know detail and its sponsorship is clearly established.
enough about the organization’s governance that
identifying governance processes and structures in Reliance on Other Assurance Providers
entities not yet audited will not be a major project.
Special consideration should be given relative to governance
With the universe defined, auditors should use a risk- audits including coordination with the external assurance
based approach to identify the audits to be carried out providers.12
over the planning horizon. Audit functions should ensure
that a balance of units are selected for review with regard During the planning process, the CAE should determine
to governance, risk management, and control. Doing so what reliance the audit function can place on other assur-
allows the auditors to consider the holistic, organic view ance providers. Internal assurance providers include func-
of governance, risk management, and control. tions such as risk management, compliance, quality assur-
ance, environmental auditors, health and safety auditors,
12
See Practice Advisory 2050-1: Coordination and The IIA Practice Guide, Reliance by
16 / www.globaliia.org/standards-guidance Internal Audit on Other Assurance Providers.
and government auditors. The criteria for reliance include: instrumental in forming an integrated or combined inter-
nal assurance-provider process.
• Organizational independence.
• Individual objectivity. External assurance providers such as external auditors,
• Competence (e.g., technical knowledge, experience, third-party assurance providers, and regulatory examiners
professional or industry certification, and continuing will give the board, executive management, and stakehold-
professional education). ers’ additional comfort on aspects of the organization’s
performance and compliance. The CAE should consider
• Documentation of work.
the nature, scope, and timing of external assurance pro-
• Engagement supervision. viders’ work.
• Quality of written reports delivered to management.
Plan and Complete Governance
• Issues and action plans identified.
Engagements
• Communication of results to the appropriate level of
the organization.
Note: This section deals primarily with governance
• Issue closure process. activities within the organization. Some leading internal
audit activities also provide assurance on board gover-
• Issue closure escalation process to the appropriate nance activities. Guidance on assessing board governance
level of the organization. is included in the Appendix.
• Risk-based considerations in the annual planning
process. Due to the uniqueness of each organization’s governance
processes and structures, planning a governance engage-
To confirm reliance, the audit function might:
ment may be difficult and require significant judgment by
• Review some of the assurance provider’s engagement the auditor. Each engagement should include an evalua-
work. tion of the design of the process or activity and sufficient
testing to draw a conclusion on operating effectiveness.
• Re-perform a sample of the work.
• Perform one or more combined assessments with the Some specific areas to consider at the engagement level
assurance provider. include:
The annual plans prepared by other assurance providers
• Process objectives — goals and purpose of the pro-
where reliance is anticipated should be provided to internal
cess or activities within the scope of the engagement.
audit early in the audit planning cycle. The plans should
include scope, objectives, timing, and locations/areas to be • Risks — risks to the achievement of those objectives
assessed. Ideally, these plans should be risk-based using identified in setting strategy.
a common language — the one the audit function uses. • Structures — organizational units, processes, poli-
Copies of relevant assurance-provider performance re- cies, and procedures that support the achievement of
views should be provided to the audit function. objectives and are documented, communicated, and
understood.
Boards with mature governance practices are beginning
• Accountabilities — clearly defined roles,
to ask for more and better coordination and integration of
responsibilities, and accountabilities.
internal assurance services. The audit function should be
• Compliance with legal and regulatory requirements. Identify Governance Activity (Process) Objectives and
• People — adequate staffing, training, and Analyze Associated Risks
development. Understanding governance activity or process objectives
• Communicating results. enables the auditor to identify and analyze associated risks
and controls. The overall objective of organizational gov-
• Monitoring improvement action progress. ernance in the public sector is to best serve and protect
Planning the Engagement the public interest and ensure appropriate management
accountability and communication to its key stakeholders.
Planning the engagement encompasses setting engage-
ment objectives, identifying governance process objec- There may be different types of objectives for each spe-
tives and risks, legal involvement, and engagement staff- cific governance activity, process, or structure. Generally,
ing. The audit plan should include the program of audits objectives can be categorized as strategic, operational, re-
to be completed, timelines, and the resources needed. porting, and compliance. The Committee of Sponsoring
Organizations of the Treadway Commission’s (COSO’s)
Setting Engagement Objectives
Enterprise Risk Management–Integrated Framework can
Engagement objectives should align with the audit plan, provide useful guidance in identifying and understanding
reflect the purpose for performing the engagement, and governance objectives. The COSO framework has been
identify the engagement deliverables. Simply put, engage- adapted by audit organizations to provide more direct ap-
ment objectives state what the audit will provide. Engage- plicability to public sector entities.13
ment objectives should be formally established and com-
municated in an engagement memo or terms of reference. Legal Involvement
Objectives should clearly state the specific assurance to Often, auditing requires an interpretation of laws and
be provided. Examples include: regulations. Except for those with law degrees, auditors
generally do not have the legal background to adequately
• Assess compliance with required governance interpret the more complex legal implications affecting
activities. organizational governance. The CAE or supervisor of the
• Evaluate risk management activities at the subsidiary engagement should involve the organization’s legal depart-
level. ment or General Counsel to provide the necessary advice.
• Provide assurance on how well the organization’s When the area of audit focus is assessment of the orga-
strategies have been communicated and adopted nization’s legal activity, the CAE should consider use of
organizationwide. outside counsel and obtain agreement from the board.
• Evaluate the design, implementation, and effective- Engagement Staffing

ness of the organization’s ethics program and related
activities. Staffing requirements are shaped by the engagement’s
scope and objectives. While high-profile governance au-
• Assess how well authorities have been delegated, dits often require individuals with advanced knowledge,
acknowledged, and followed throughout the skills, competencies, and experience, the CAE is often
organization. challenged with resource constraints. The CAE should
identify the knowledge, skills, competencies, and experi-
ence needed for the engagement and assign staff mem-
13
The U.S. Government Accountability Office and the International Organization
of Supreme Audit Institutions are among the organizations that have issued
18 / www.globaliia.org/standards-guidance comprehensive COSO adaptations.
bers who best fit the requirements. Where important gaps Performing the Engagement
exist, the CAE should consider just-in-time training, guest
Sources of Evidence
auditors, or third-party providers. When using a third-par-
ty source for staffing, the CAE should ensure that guest In providing assurance, auditors normally use a two-step
auditors and third-party providers are independent and approach: Review the design and test the operating effec-
objective. tiveness of key processes and structures. Audit functions
should gather sufficient, relevant, and reliable informa-
tion in carrying out the work and formulating conclusions
and recommendations. Evidence should be gathered from
a variety of sources, as recommended in Table 2.
Note: Many types of evidence may be relevant to one or

more processes or structures.
Table 2: Governance Assurance Engagement
PROCESS OR STRUCTURE EVIDENCE TO CONSIDER
Board and Audit Committee • Legal documents establishing the organization (e.g., articles of formation, bylaws).
• Legal and regulatory requirements with which the board should comply (e.g., acts, statutes, and rules).
• Briefing papers including pre-meeting materials and presentations.
• Meeting minutes and actions taken.
• Charters including those of any committees of the board.
• Board member profiles.
• Self-assessments.
• Regulatory actions/sanctions.
• Orientation and training materials.
• External reports to independent auditors, regulators, rating agencies, etc.
• External reporting process documentation that evidences legal involvement.
• News sources for any relevant press regarding the organization.
Strategy • Current list of the organization’s objectives, standards, and strategies.

• Communication protocols.
• Details on alignment throughout the organization.
• Process to update and re-communicate.
• Evidence of board approval from meeting minutes or correspondence directly from the board.
• Details showing the allocation of resources to execute strategies approved by the board.
• Documented responsibility for strategy implementation.
• Risk policy and procedures approved by the board that include risk process, risk universe with common
risk descriptions, risk tolerance levels, risk assessment and reporting process, and risk ownership.
• Details of function/department/unit/individual objectives and their alignment to organizational goals.
• Performance or reward systems that encourage personnel to achieve organizational goals that are
aligned with stakeholder expectations.
ERM • Clearly defined objectives to enable the identification and assessment of risks related to objectives.
• Formal processes/procedures to identify risks to the achievement of objectives across the entity.
• Formal processes/procedures to analyze risks as a basis for determining how risks should be managed.
• Formal processes/procedures to identify and assess changes in external and internal environments that
could significantly impact the achievement of objectives.
• Formal processes/procedures to consider the potential for fraud in assessing risks to the achievement of
objectives.
Ethics • Ethics and integrity policy — adoption, communication, affirmation, and training.
• Mission, vision, and values established and communicated.
• Whistleblower hotline established and communicated, its level of awareness and use, and the
organization’s response.
• Organizational personnel surveys confirming individual awareness and understanding.
• Organizational personnel surveys confirming that executive leadership displays a values-based culture
and philosophy.
• New employee training and orientation that include values, culture, and philosophy.
• Communication/training exists on ethics and values in “gray areas.”
Compliance • Articles of formation (incorporation), bylaws, operating agreements, etc.

(organizationwide) • Policies that include purpose, roles and responsibilities, audience, scope, definitions, authorities,
effective dates, implementation dates and procedures, authorities and administration, measurement,
and validation.
• Information and communication security/privacy policies and procedures.
• Standards that articulate the level of performance expected (e.g., zero defects or tolerance, Six Sigma).
• Mandatory governance requirements adopted with appropriate structures and incumbents in place at
C-suite level.
• Detailed process and accountability in place to keep current on governance requirements.
• Governance committee charters that include purpose, scope authority, roles and responsibilities, and
membership. These should be published, widely known, readily accessible, and periodically reviewed and
updated as necessary.
• Governance committee meeting minutes, actions taken, and reporting.
• Examples of governance committees in large organizations include governance, strategy, risk, audit,
control, compliance, disclosure, finance, and IT governance/risk.
• For large and more complex organizations, governance structures and organization charts that cascade
throughout the organization, are fully staffed, and have clear reporting relationships.
• Details on governance processes where there is shared accountability, particularly in organizations that
use matrices management.
• Process details for addressing or approving deviations to policies, standards, and procedures.
• Financial reports.
• Regulatory actions.
• Internal measurement results such as balanced scorecards.
• Civil actions.
• Press releases about the organization — what others are saying about the organization.
• Analysis, particularly external, comparing actual results to objectives and expectations, both short and
long term.
• External reports along with documentation evidencing conformance with established procedures.
Compliance (level • Documentation that identifies all organizational activities, operations, departments, functions, and
below organizationwide processes.
structures) • Documented maps for each process showing inputs, activities, tasks, steps in the process, and outputs.
Mapping also should include references such as objectives, citizen conditions of satisfaction, ownership,
procedures to update when necessary, and procedures to make available to those with the need.
• Documentation for all aspects of transformational transactions and existing process change
management.
• Details on mandatory/required reporting to external parties.
Organizational • Job descriptions for all organization personnel that contain responsibilities, authorities, reporting
Accountability relationships, and education.
• Professional development program/process that applies to all personnel.
• Leadership development program/process.
• Individual training records that include skills assessments, development plans, and training completed.
• Organizationwide training on ethics, integrity, and values.
• Personnel surveys that provide insights into how people view the organization’s commitment to people,
their capabilities, accountabilities, behavior, training, and education.
• Detailed, board-approved delegated authorities with processes for personnel acknowledgement, periodic
review, validation, and remediation when authorities are breached.
• Disclosure committee charter, roles, responsibilities, and meeting minutes.
Monitoring • Documented organizational performance measurement system that illustrates the system and describes
the required information, form of the reports, reporting periods and due dates, and safeguards that
ensure accuracy and completeness.
• Copies of actual reports.
• Personnel and customer surveys: processes, questions, frequency, audiences, results, responses, and
status of improvement actions.
• Monitoring systems over and above performance measurement systems that should specify what and
when to monitor, responsibility, results, and improvement action plans and status.
• Internal communication systems up, down, and across the organization.
• Details on assurance mechanisms that include charters, scope, plans, and reports.
• Benchmarking process and results.
• Information “asset” management process/program.
• Due diligence evidence/documentation on assessment of third-party governance practices.
• External reports with comparisons to relevant internal reports covering governance practices.
• Surveys and results regarding personnel perceptions of the quality of information and communication.
IT Governance • IT governance/risk/control program and processes.

(where applicable) • Defined information security policies, procedures, and practices.
Workpaper Documentation Monitoring Improvement Action Progress

Due to the sensitivity of some governance audit work, The CAE should work with the audit committee to estab-
special handling may be needed for access and storage of lish a system to monitor the progress of improvement ac-
related audit workpapers. Audit workpapers are the prop- tions communicated to management and the board. Due
erty of the organization. The files are under the control of to the importance of governance activities and board and
the audit function and are accessible only to authorized CEO responsibilities for effective governance, the system
personnel and citizens or others granted the right by le- should include:
gal jurisdiction. Management review may be granted to
substantiate or explain audit findings or to use audit docu- • The time frame within which the improvement
mentation for other purposes. action will be completed, including key milestone
dates.
Communicating Outcomes and Results • Ongoing evaluation of governance activity owners’
Audit functions should communicate engagement out- responses.
comes and results consistent with Standard 2400 and • Audit functions validation or follow-up audit of the
Practice Advisory 2400-1.14 Due to potential sensitivity, improvement action.
the audit function should consider obtaining the general
• An escalation process for unsatisfactory response
counsel’s advice on communicating results and retain-
to include the assumption of risk for a delayed or
ing related workpapers before starting the engagement.
incomplete improvement action.
Reporting may be formal or informal, with consideration
for which method will stimulate corrective action with- Engagement Administration
out resulting in unintended negative repercussions. Even
Governance audits can become high profile because they
if reporting is informal, audit functions must follow the
are generally public record. If the audit function is to have
Standards in communicating the audit results and in mon-
a key role in assessing governance, its overall effective-
itoring improvement action progress.
ness in providing assurance to stakeholders is critical. The
CAE should ensure that governance engagements are
The CAE may be asked to facilitate self-assessments of
adequately staffed, appropriately supervised, and subject
the board or its committees. The results, including any
to the audit function quality assurance and improvement
action plans, should be documented so that the board
process, consistent with the Standards.
can monitor their progress. The method for documenting
and communicating results will be at the board’s discre-
The board, through its audit committee, should look to
tion. The CAE should agree with the board and executive
the CAE for periodic reports on the audit activity’s qual-
management on dissemination of all governance-related
ity assurance and improvement program and ensure that
reports.
the program provides for an independent assessment at
least every five years. The CAE also should ensure that
these reports are provided. In addition, the board should
draw its own conclusions on the effectiveness of the audit
function.
14
See “Additional Resources” for a link to IIA guidance, Transparency of the
24 / www.globaliia.org/standards-guidance Internal Audit Report in the Public Sector.
Additional Resources
IIA Guidance
GTAG 17: Auditing IT Governance
https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/GTAG17.aspx
Practice Advisory 2050-1: Coordination

https://global.theiia.org/standards-guidance/Member%20Documents/PA_2050-1.pdf
Practice Advisory 2110-2: Governance: Relationship With Risk and Control

Practice Advisory 2120-3: Internal Audit Coverage of Risks to Achieving Strategic Objectives
Practice Guide: Assessing the Adequacy of Risk Management Using ISO 31000
https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Assessing-the-Adequacy-
of-Risk-Management-Practice-Guide.aspx
Practice Guide: Coordinating Risk Management and Assurance

https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Coordinating-Risk-Man-
agement-and-Assurance-Practice-Guide.aspx
Practice Guide: Evaluating Ethics-related Programs and Activities

https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Evaluating-Ethics-relat-
ed-Programs-and-Activities-Practice-Guide.aspx
Practice Guide: Reliance by Internal Audit on Other Assurance Providers

https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Reliance-by-Internal-Au-
dit-on-Other-Assurance-Providers-Practice%20Guide.aspx
Public Sector Definition

https://global.theiia.org/standards-guidance/leading-practices/Pages/Public-Sector-Definition.aspx
The Role of Auditing in Public Sector Governance

https://global.theiia.org/standards-guidance/leading-practices/Pages/the-role-of-auditing-in-public-sector-governance.
aspx
Transparency of the Internal Audit Report in the Public Sector

https://global.theiia.org/standards-guidance/leading-practices/Pages/Transparency-of-the-Internal-Audit-Report-in-
the-Public-Sector.aspx
Non-IIA Guidance
Board Briefing on IT Governance, 2nd Edition. IT Governance Institute.
Enhancing Board Oversight by Avoiding and Challenging Traps and Biases in Professional Judgment (2012). COSO.
Enterprise Risk Management–Integrated Framework (2004). COSO.
Internal Control–Integrated Framework (2013). COSO.
Principles of Good Governance. Professional Risk Managers’ International Association, September 2009.
Appendix — Board Risks, Control Objectives, and Practices

The overall objective of organizational governance is to inform, direct, manage, and monitor an organization’s activities
toward achieving its objectives. On behalf of the organization’s key stakeholders, the board is the focal point for ensuring
effective governance.
The following table describes examples of risks that boards may encounter as well as control objectives and practices that
can be used to manage them.
RISKS/EVENTS CONTROL OBJECTIVES PRACTICES
Board members do not have There is a sufficient number of outside, independent members of the
the required organization, board as required by organizational need and applicable laws.
industry, technical, IT,
or other knowledge and The sufficient number of members and expertise needed for the board
experience. is defined by formal, specific criteria.
Practices are in place to ensure the right mix of expertise, skills, and
diversity is represented on the board at all times.
Backgrounds of potential board members are thoroughly reviewed

and validated.
Term limits are strictly enforced to ensure a regular infusion of new

To fulfill board roles
individuals who bring needed competencies, provide fresh thinking,
and responsibilities
and keep governance connected to the stakeholders.
completely, accurately,
and timely.
Members do not understand Orientation, onboarding, and continuous training is conducted to
the role or responsibilities of ensure all members understand their role and responsibilities.
the board.
Failure of board members to The board charter, policies, roles and responsibilities, and procedures
adequately fulfill their roles are documented and made available.
and responsibilities.
Updates are made timely.
Changes are communicated adequately.
Board members periodically visit the organization and meet with key
leaders.
Failure of the board to meet All legal requirements are identified, communicated, and made
legal requirements. To meet legal available to board members.
requirements of the
Requirements are continuously monitored.
board.
Updates are communicated timely and adequately.
Failure of individual board A parliamentarian is assigned to monitor and advise on board

members to exercise processes, procedures, and legal requirements.
appropriate due diligence.
An agenda is followed and minutes are kept for all meetings.
To ensure all board Action dockets or similar methods are used to track assignments and
policies, procedures, and deadlines.
legal requirements are
followed. Calendars are maintained to keep board members informed of
meetings and important deadlines.
Individual evaluations and board assessments are conducted at least

annually to identify improvements and if any board members’ terms
have ended and/or need to be rotated off the board.
Insufficient challenge and Robert’s Rules of Order 15 procedures are followed in board meetings,
skeptical inquiry is provided which are the standards for board rules of order.
by board members.
Sufficient time is allocated in all agendas for open discussion and
debate.
The chairman of the board position is held by an outside, independent

member with extensive experience on other boards. This is considered
To ensure all board a best practice and is mandated by law in some jurisdictions because
members’ concerns are such a person is less likely to be influenced by relationships with, and
identified and addressed. the personal interests of, management, and may be more effective in
challenging executive actions.
The board interacts regularly with the internal and external auditors,
at times outside the presence of management, to ensure they are
allowed to carry out their mandate in an unrestricted manner.
A sufficient number of nonexecutive directors on the board are

attending board meetings.
14
Originally titled Pocket Manual of Rules of Order for Deliberative
Assemblies, written by Henry Martyn Robert in 1876. See http://www.
28 / www.globaliia.org/standards-guidance robertsrules.com/ for latest edition.
Unknown or unanticipated Risk assessments conducted by the organization’s chief risk officer
vulnerabilities. To ensure board members — if one exists — management, internal audit, or external parties
understand the risks (e.g., external auditors, regulators) are provided to board members as
to the organization’s they become available.
objectives and the related
vulnerabilities of the Board members conduct their own risk assessments at least annually
organization. to include scanning the environment for unanticipated events that
may harm the organization’s reputation.
Decisions are made or All necessary information (e.g., background, financial impact, risks,
actions are taken based on To ensure the board has and benefits) is provided to board members in a consistent format
unreliable, incomplete, or reliable, complete, and with sufficient time for thorough review before decisions are made.
untimely information. timely information.
Sufficient time is allowed for debate before decisions are made.
Failure to meet stakeholder Primary stakeholders are identified and allowed to vote on board
expectations. membership.
To ensure primary
stakeholder needs are Surveys are conducted periodically to identify primary stakeholder
known by all board needs.
members.
Primary stakeholders are allowed to attend meetings and ask
questions at appropriate times during the meeting.
Failure to appropriately To ensure that all The board reviews and approves all information, reports, and filings
inform key stakeholders. mandatory and before release of information to key stakeholders.
optional information is
communicated accurately
and timely to key
stakeholders (including
regulatory agencies).
Organizational governance Board oversight and monitoring of key organizational activities such
structures, processes, and as objective setting, strategies, structures, operating plans and
practices are ineffective or Ensure an appropriate budgets, operating performance, and results.
lack sustainability. organizational
governance framework A succession-planning process exists for the organization’s CEO and
is in place and operating other key leadership positions.
effectively.
The board reviews and approves the organization’s code of conduct,
ethical culture, policies, and procedures.
Author, Contributors, and Reviewer

Author
Gualter Portella, CIA, CCSA, CGAP, CRMA
Contributors
Scott Cohen, CIA, CCSA, CGAP, CRMA
Oliver Dieterle, CIA, CGAP, CRMA
Dr. Tea Enting-Beijering
Greg Hollyman, CIA, CCSA, CFSA, CGAP, CRMA
Kenneth J. Mory, CIA, CRMA
Christie J. O’Loughlin, CGAP, CRMA
Gloria Spelman, CGAP
Mmathabo Sukati, CIA, CCSA
Reviewer
Bruce Turner CGAP, CRMA, CISA, CFE, CFIIA
guidance.

247 Maitland Ave. F: +1-407-937-1101
140454
– Practice Guide
›› CREATING AN INTERNAL AUDIT

COMPETENCY PROCESS
FOR THE PUBLIC SECTOR
FEBRUARY 2015
Table of Contents
EXECUTIVE SUMMARY................................................................................... 1
INTRODUCTION.............................................................................................. 1
BUSINESS SIGNIFICANCE AND RELATED RISKS.......................................... 2
DEFINITIONS OF KEY CONCEPTS................................................................ 2
RELATED IIA STANDARDS........................................................................... 3
PLANNING...................................................................................................... 4
THE INTERNAL AUDIT COMPETENCY PROCESS (IA-CP)................................ 4
VISION PHASE............................................................................................ 5
OVERSIGHT PHASE..................................................................................... 6
DIRECTION PHASE...................................................................................... 6
COMPETENCY PHASE................................................................................. 7
MONITORING PHASE.................................................................................. 9
APPENDIX A — CITY OF AUSTIN, TX: STRATEGIC COMPETENCY

PLAN PROCESS............................................................................................ 12
APPENDIX B — AUSTRALIAN GOVERNMENT CENTRAL AGENCY

STRATEGIC COMPETENCY PLAN PROCESS................................................. 15
APPENDIX C — RESOURCES....................................................................... 18
AUTHORS, CONTRIBUTORS, AND REVIEWERS............................................ 19
Executive Summary Each phase includes multiple steps to be executed by the

CAE, Board, or BOC. Each step is described in detail
Across the globe, public sector entities are facing within this guidance, and case studies from the United
increasing demands and heightened expectations from States and Australia depict how this guidance has been
the community, government, and other stakeholders. In put into practice.
part, this reflects the complexity, depth, breadth, and
cross-jurisdictional nature of the public sector landscape.
Independent assessment of public sector accountabil-
Introduction
ity, risk management, and internal control is increasingly National, regional, and local level public sector internal
reliant on well-mandated and structured audit activi- audit activities work with government officials, boards,
ties comprising competent internal auditors. An internal CEOs, and management on behalf of taxpayers, consumers
audit competency process is designed to meet audit of government services, and the general public. The audit
activities’ competency requirements and support the function’s effectiveness is impacted by unique public
Internal Audit Capability Model (IA-CM) for the public sector characteristics, including:
sector.1
• The demand for a high level of transparency and
The Internal Audit Competency Process (IA-CP) is a flex- performance.
ible process that can be used to benefit the audit function’s
activities. Key players in the process include the Board or • The usual absence of a profit motive.
Board Oversight Committee (BOC)2 and the chief audit • A wide variety of organizational forms (e.g., national,
executive (CAE). Effective audit planning — including regional, and local governments and quasi-
the strategic alignment of the IA-CP with the entity’s stra- governmental and international government
tegic plan — will help to streamline efforts. organizations).
• Complex legal frameworks for governing bodies.
The IA-CP comprises five phases, broken down into
12 steps. The five phases include:
In 2009, The IIA Research Foundation published
1. Vision – Assess the current position of the audit the Internal Audit Capability Model (IA-CM) for the
function’s collective competencies and identify the Public Sector. The IA-CM is a framework that identifies the
desired position. fundamentals needed for effective internal auditing in
government and the broader public sector. The IA-CM
2. Oversight – Determine the audit function’s illustrates the stages through which an audit function
competency goals and identify competencies that evolves as it defines, implements, measures, controls, and
need to be developed or sourced. improves its processes and practices.
3. Direction – Decide how to best develop the required
skills or source them from third parties.
4. Competency – Develop and implement a strategic

competency plan.
5. Monitoring – Evaluate effectiveness of the strategic

competency plan.
1
The IIA Research Foundation, Internal Audit Capability Model (IA-CM)
for the Public Sector, 2009. www.globaliia.org/standards-guidance / 1
2
See definition on page 2.
• Failing to meet government commitments due to

• The IA-CM describes WHAT capabilities are loss of control, particularly during critical policy,
required of a public sector audit function. service delivery, and business system change.
• The IA-CP describes HOW to achieve those • Service delivery failure (e.g. cross-agency matters,
capabilities through the competence of the poor procurement and operations, and information
audit staff. communication and technology systems).
• Inefficient use of existing resources and potential
maladministration.
This practice guide complements the IA-CM by providing
specific guidance on developing, implementing, and • Unreliable information for government decision-
sustaining an IA-CP to ensure that the organization’s making.
audit function has the collective knowledge, skills, and • Increased opportunities for fraud and corruption,
other competencies necessary to complete planned particularly with increased electronic service delivery.4
audits and to support the audit function as it evolves. The
IA-CP attempts to match the capability level of the audit Definitions of Key Concepts
function with the internal auditor competencies needed Audit function – See definition of Internal Auditing on page 3.
to support it.
Audit risk – The risk of reaching invalid conclusions
Business Significance and Related Risks and/or providing faulty advice based on the audit work
In times of change and uncertainty, political risk is conducted.5
heightened, as reflected in the potential for financial
or market losses or the reduction in talent and human Board – The highest level of governing body charged with
resources because of political decisions or disruptions. the responsibility to direct and/or oversee the activities
Public sector internal auditing is being reframed by 21st and management of the organization. Typically, this
century economic and technological events. includes an independent group of directors (e.g., a board
of directors, a supervisory board, or a board of governors or
Not surprisingly, this reframing has created both risks and trustees). If such a group does not exist, the “board” may
opportunities. Rapid change, emerging technologies, and refer to the head of the organization. “Board” may refer
increasingly complex economic, regulatory, and operating to an audit committee to which the governing body has
environments may increase audit risk — the risk of “delegated certain functions.”6 As used in this guidance,
reaching invalid audit conclusions and/or providing faulty “board” refers to the governing body of a public sector entity.
advice based on the audit work conducted.3 At the same
time, these circumstances serve as a catalyst for the Board Oversight Committee (BOC) – As used in this
audit function to develop an IA-CP to provide the guidance, BOC refers to a board committee with
opportunity to enhance and develop the necessary compe- responsibility for oversight of the internal audit function.
tencies to meet these challenges head on. Without sufficient In some jurisdictions, this will be an audit committee.
investment in internal audit competencies, there may be
increased exposure to key risks associated with not improving Competency – The ability of an individual to perform a
the audit function activities across government, such as: job or task properly, being a set of defined knowledge,
skills, and behavior.7
Kurt F. Reding et. al., Internal Auditing Assurance & Advisory Services, 3rd Ed, p. 10-3
3,5
(The Institute of Internal Auditors Research Foundation, 2013).

4
“Review of Internal Audit Capacity in NSW Public Sector,” New South Wales Department of
Premier and Cabinet, Performance Review Unit, 2008.
2 / www.globaliia.org/standards-guidance 6
The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards).
7
The IIA’s Global Internal Audit Competency Framework, The Institute of Internal
Auditors, Inc., 2013.
Internal Auditing – An independent, objective assurance VI. Communication: Communicates with impact.
and consulting activity designed to add value and improve VII. Persuasion and collaboration: Persuades and
an organization’s operations. It helps an organization motivates others through collaboration and
accomplish its objectives by bringing a systematic, cooperation.
disciplined approach to evaluate and improve the
VIII. Critical thinking: Applies process analysis,
effectiveness of risk management, control, and gover-
business intelligence, and problem solving
nance processes.
techniques.
Internal Audit Capability Model (IA-CM) – A framework IX. Internal audit delivery: Delivers internal audit
that identifies the fundamentals needed for effective engagements.
internal auditing in the public sector.8 X. Improvement and innovation: Embraces
change and drives improvement and innovation.
Internal Audit Competency Process (IA-CP) – A
series of activities designed to enhance the likelihood that Related IIA Standards
public sector internal auditors collectively achieve the
The International Professional Practices Framework
knowledge, skills, and other competencies necessary
(IPPF) outlines the following International Standards for
to support their respective audit activities as their
the Professional Practice of Internal Auditing (Standards)
capabilities progressively evolve.
related to competency. Additional competency-related IIA
guidance documents are identified in Appendix C.
The IIA’s Global Internal Audit Competency
Framework – A tool that defines the competencies needed
Standard 1010: Recognition of the Definition of
to meet the requirements of the International
Internal Auditing, the Code of Ethics, and the
Professional Practices Framework® (IPPF®) for the success Standards in the Internal Audit Charter
of the internal audit profession.9 The framework outlines
the 10 core competencies to be demonstrated by each of The mandatory nature of the Definition of Internal
three broad job levels — internal audit staff, internal audit Auditing, the Code of Ethics, and the Standards must be
management, and the CAE. Core competencies include: recognized in the internal audit charter. The chief audit
executive should discuss the Definition of Internal
I. Professional ethics: Promotes and applies Auditing, the Code of Ethics, and the Standards with senior
professional ethics. management and the board.
II. Internal audit management: Develops and Standard 1200: Proficiency and Due Professional Care
manages the internal audit function.
Engagements must be performed with proficiency and
III. IPPF: Applies the International Professional
due professional care.
Practices Framework (IPPF).
IV. Governance, risk, and control: Applies a • 1210 – Proficiency: Internal auditors must possess
thorough understanding of governance, risk, the knowledge, skills, and other competencies
and control appropriate to the organization. needed to perform their individual responsibilities.
V. Business acumen: Maintains expertise of the The internal audit activity collectively must possess
business environment, industry practices, and or obtain the knowledge, skills, and other
specific organizational factors. competencies needed to perform its responsibilities.
8
Internal Audit Capability Model (IA-CM) for the Public Sector, 2009 The IIA Research
Foundation, 2009
9
The IIA’s Global Internal Audit Competency Framework, 2013. www.globaliia.org/standards-guidance / 3
• 1210.A1 – The chief audit executive must obtain

competent advice and assistance if the internal auditors Planning
lack the knowledge, skills, or other competencies Effective planning is key to the successful development
needed to perform all or part of the engagement. and implementation of an IA-CP. The following planning
• 1210.A2 – Internal auditors must have sufficient activities will help to streamline efforts.
knowledge to evaluate the risk of fraud and the • Determine the strategic links between the audit
manner in which it is managed by the organization, function and the organization’s statutory objectives,
but are not expected to have the expertise of a person values, and strategic plan.
whose primary responsibility is detecting and • Research the legal basis of the audit function within
investigating fraud. the entity’s geopolitical environment.
• 1210.A3 – Internal auditors must have sufficient • Evaluate compliance of the audit function with
knowledge of key information technology risks and government policy on internal auditing.
controls and available technology-based audit • Establish alignment with The IIA’s Standards and
techniques to perform their assigned work. However, other applicable standards.
not all internal auditors are expected to have the
• Assess congruence between the audit function
expertise of an internal auditor whose primary
mandate and the audit committee charter.
responsibility is information technology auditing.
• Review existing documents:
• 1210.C1 – The chief audit executive must decline
the consulting engagement or obtain competent ›› The audit function charter.
advice and assistance if the internal auditors lack the ›› The audit function organizational structure.
knowledge, skills, or other competencies needed to ›› Audit plan.
perform all or part of the engagement.
›› Audit universe that addresses new threats and
• 1220 – Due Professional Care: Internal auditors opportunities that may quickly evolve or appear
must apply the care and skill expected of a on the horizon.
reasonably prudent and competent internal auditor.
›› The audit function job descriptions (CAE,
Due professional care does not imply infallibility.
manager, staff auditor, IT auditor, etc.).
Standard 1230: Continuing Professional
Development The Internal Audit Competency
Internal auditors must enhance their knowledge, skills,
and other competencies through continuing professional
Process (IA-CP)
development. The IA-CP can be applied by public sector entities
striving to establish a new audit function as well as by
established audit activities striving to progress to a higher
IA-CM level. The IA-CP comprises five phases, which
are further broken down into 12 steps, as illustrated in
Table 1: Internal Audit Competency Process (IA-CP).
Table 1: Internal Audit Competency Process (IA-CP)
NEW OR REPOSITIONED AUDIT FUNCTION ESTABLISHED AUDIT FUNCTION
Vision Phase Oversight Phase Direction Phase Competency Phase Monitoring Phase
Step 4 – Select Step 6 –

Step 1 – Assess Step 8 – CAE develops Step 11 – BOC
qualified board Identify and
the balance of skills a strategic competency reviews audit function
oversight com- recruit a The internal audit function
within the board. plan. competency profile.
mittee (BOC). qualified CAE. fulfills competency needs
and achieves conformance
Step 12 – BOC
Step 2 – Assess Step 7 – De- with IIA Standards. It has
Step 5 – Devel- Step 9 – CAE identifies endorses and monitors
the organization’s velop internal positioned itself to add
op BOC charter. existing competencies. strategic competency
needs. audit charter. value to the business and
plan.
help it achieve its
Step 3 – Identify objectives.
desired IA-CM
Step 10 – CAE identifies
level and scope of
competency gaps.
responsibility and
authority.
Note: The IA-CP is designed to be flexible. An entity or audit function may begin at any phase, and steps within a phase may be conducted simultaneously
or in different order, as needed.
Vision Phase mix of skills should include a working knowledge of

contemporary governance, risk, and compliance
The IA-CP vision relates to how the board wants to
frameworks, and leading internal control frameworks
position the audit function in the future. It should align
such as The Committee of Sponsoring Organizations of
with the organization’s statutory objectives, values, board
the Treadway Commission’s (COSO’s) Internal Control–
mandate, strategic plan, business plans, and assurance
Integrated Framework, the Canadian Criteria of Control
framework, with consideration for known and emerging
Board’s Internal Control Framework, the King Code of
risks and vulnerabilities. The cultural, social, economic,
Governance, or the U.K. Corporate Governance Code.
political, and legal characteristics of the entity’s jurisdic-
Experience should be commensurate with the audit
tion will impact the IA-CP vision. The vision phase should
function’s current position within the IA-CM, and the
be performed by, or on behalf of, the board and may be
entity’s complexity and level of government (e.g., national,
in response to a legislative mandate, a regulatory require-
regional, or local).
ment, an administrative policy, or a management dictate.10
The vision phase comprises three steps. Step 2 – Assess the Organization’s Needs
Step 1 – Assess the Balance of Skills within the Board The second step in the vision phase is to assess the audit
activities current IA-CM level (see Table 2), relative to
The first step is an assessment of the board’s ability
the needs of the organization. Consideration should be
to oversee the establishment or repositioning of the
given for required competencies of internal audit staff at
audit function. Qualifications should provide a
all levels. Public sector audit functions operate in a com-
multidisciplinary mix of professions including legal,
plex environment. The vision should be congruent with
accounting, technology, and public administration. The
the degree of complexity. For example, an audit function
For related information, see The IIA’s Global Public Sector Insight: Policy Setting for
10
Public Sector Internal Auditing in the Absence of Government Legislation, 2014. www.globaliia.org/standards-guidance / 5
Table 2: Competencies Associated with IA-CM Levels
COMPETENCIES ASSOCIATED WITH IA-CM LEVELS

Level 5
Top-level professional and specialized skills
Optimizing
Level 4
Requisite skills/competencies in place; renewable and shareable
Managed
Level 3
Professionally qualified staff/internal audit function coordination
Integrated
Level 2
Continued reliance on individual auditor
Infrastructure
Level 1
Skills of individual auditor
Initial
operating in an industry with unique risks (such as nuclear exists, the governing board should confirm that it is well
energy) most likely would be required to have more tech- qualified. See Global Public Sector Insight: Independent
nical competencies compared to an audit function operat- Audit Committees in Public Sector Organizations for more
ing in a less complex environment (such as policy setting). information.
Step 3 – Identify the Desired IA-CM Level and Scope Step 5 – Develop BOC Charter
of Responsibility and Authority
The BOC should develop a charter addressing
The board should clearly identify the desired position competencies expected of the committee members in
of the audit function, in accordance with the IA-CM conjunction with the desired IA-CM maturity level and
illustrated in Table 2: Competencies Associated With the organization’s operations, reporting, and compliance
IA-CM Levels. Factors to consider include the scope objectives. See model charter contained in the Global
of audits, the structural arrangements within the audit Public Sector Insight: Independent Audit Committees in
function, and the balance of skills needed. The board Public Sector Organizations.
and the CAE should collaborate to the greatest extent
possible — each will have varying degrees of input depend- Direction Phase
ing on their own respective competencies and the current
The direction phase involves activities to define and
position of the audit function.
acquire a qualified CAE and, subsequently, for that CAE
to initiate steps to move the audit function forward.
Oversight Phase
During the oversight phase, the audit activities’ Step 6 – Identify and Recruit a Qualified CAE
competency goals are determined and competencies that The BOC should identify the competencies required for
need to be developed or sourced are identified. the CAE. The BOC, the CEO, and the existing CAE (if
applicable) should be involved in creating or updating the
Step 4 – Select Qualified Board Oversight
CAE’s job description. Next, it should be determined if
Committee (BOC)
the identified competencies are present within the audit
For new audit activities, the board should appoint a BOC function and, if not, whether they can be developed
with the skills described in Step 1. If a BOC already
internally, recruited from within the organization, or the competencies necessary to implement the audit
provided by a third party. The CAE must have relevant plan. Key points to consider when developing a
public sector experience and have achieved competency competency plan include:
on the IA-CM at a level consistent with or better than
the desired IA-CM level established by the BOC in • Develop an aspiration statement. For example: By
Step 3. The CAE also should demonstrate CAE-level (year), anyone who is practicing internal auditing
competencies identified in The IIA Global Internal Audit at the entity will be appropriately certified or will be
Competency Framework (Competency Framework). reporting to someone who is appropriately certified.
See The IIA’s Practice Guide, Chief Audit Executives • Leverage the Competency Framework.
Appointment, Performance Evaluation, and Termination
for more information. ›› An approach is to distinguish between basic
awareness and greater degrees of
Step 7 – Develop Internal Audit Charter competence including understanding, proficiency,
and expertise.
A CAE must develop an internal audit charter in
conformance with IIA Standard 1010: Recognition of the ›› Consider the size of the audit function, the audit
Definition of Internal Auditing, the Code of Ethics, and environment, and complexity of the audit plan in
the Standards in the Internal Audit Charter. The charter selecting an approach.
should be consistent with the related BOC charter • If an entity has its own capability framework, map
and address the relevant IA-CM maturity level and the the Competency Framework’s core competencies to
desired competency requirements in accordance with the the entity’s framework.
Competency Framework. Sample language: • Apply the Competency Framework to the audit
function’s third-party providers. For more
Our vision is to continue to evolve the internal audit
information, see The IIA’s Position Paper, The Role
function within the entity to embrace the relevant and
of Internal Auditing in Resourcing the Internal
recognized elements of a “world-class” audit function.
Audit Activity.
These elements are founded on client experience,
audit planning, maximizing audit resources, audit • Identify sophisticated technical and business
strategy, and audit breadth. By (year), the internal acumen competencies necessary to anticipate how
audit function will be recognized through an risks impacting other industries or sectors might
independent review as operating at an “optimizing” eventually impact the entity.
level on the IA-CM. • Revise applicable policies, procedures, and job
descriptions to reflect the strategic competency
Competency Phase plan requirements.
The strategic competency plan is developed and
implemented during the competency phase.
Step 8 – CAE Develops a Strategic Competency Plan

In conjunction with the development of the audit
plan, the CAE should develop a complementary
competency plan. The competency plan should identify
Table 3: Sample IA-CP Skills Matrix
SAMPLE IA-CP SKILLS MATRIX
IA-CP Stakeholder Competency Goal Gap Action
New government-directed business Appoint a member to the

Stable, well balanced, and multiskilled
initiatives are being explored with the governing body with extensive
Board with extensive public sector experience.
likelihood of a commercial business arm business and transformational
Well connected with government’s agenda.
being established to cover utility services. leadership experience.
Board Oversight The entity is set to embark on a complex

Strong governance, risk, control, financial, Recruit a BOC member with
Committee multimillion-dollar technology solution.
and auditing skills. extensive skills in IT governance.
(BOC) BOC has limited IT experience.
Engage an executive coach to

BOC is looking for the audit function to add
Well respected and highly experienced in assist the CAE in the
CAE greater value, and sees a need for them to
traditional auditing techniques. transformation of the audit
step up to a higher maturity level.
function.
Deliver a tailored communications

Objective feedback in stakeholder
training course for all internal
Multidiscipline skill set with strong public satisfaction surveys has indicated that
Auditor auditors, including writing,
sector auditing experience. auditors need to improve in their
presenting, controlling meetings,
communication skills.
listening, and body language.
Step 9 – CAE Identifies Existing Competencies Step 10 – CAE Identifies Competency Gaps
The CAE should inventory existing competencies among The CAE should perform a competency gap analysis and
the audit staff. Procedures for gathering information include: develop an action plan to fill the gaps. Various matrices
may be utilized to report the findings as illustrated in
• Benchmarking – Comparing the overall profile of Table 3: Sample IA-CP Skills Matrix. For example:
the audit staff against entities with leading audit
practices. • A skills matrix would identify current competen-
• Feedback – Analysis of responses to stakeholder cies within the audit function and provided through
satisfaction surveys (e.g., audit committee, internal existing contracts with third-party providers.
clients, and audit staff). • A blended skill matrix would identify business-
• Inquiry – Interviewing clients or third parties, or ask specific competencies as well as internal auditing
internal auditors to complete a competency self- competencies.
assessment.
• Observation – Watch internal auditors perform
various duties.
• Inspection – Review performance evaluations and
training records.
The CAE should develop an action plan to fill the gaps using a three-pillar solution.
Table 4: Three Pillar Solution
THREE PILLAR SOLUTION

Maintain a structured professional Selective recruitment to achieve a well-balanced
Nurture a professional learning environment.
development plan. audit team.
It can be difficult to reach the competency levels needed Step 11 – BOC Reviews Audit Function
if internal auditors are not enthused to embark on Competency Profile
further studies or training. So it is important to nurture a BOCs play a key role in monitoring the competency,
professional learning environment, which becomes self- performance, and contribution of the audit function.
motivating as colleagues achieve success. Leading practice audit entities typically produce a
periodic (at least annual) profile of their staffing
In many jurisdictions across the globe, public sector competency at an overall and individual level.
organizations need to trim their costs and manage
discretionary expenditure areas such as training and The high-level profile typically includes benchmarking
development. The establishment of a professional of the audit activities competencies as a whole against
development plan for the audit function provides a well- relevant resources, such as The IIA’s IA-CM, The IIA’s
considered strategic driver for the board to support the Global Audit Information Network data, and against
audit function’s investment in this area. leading public sector agencies in their region. It will be
informed by collating and analyzing a detail-level profile,
An investment in training and development alone will which provides insights on key indicators such as the
not always deliver all the competencies needed, so the average years of audit experience, base qualifications,
targeted recruitment of audit team members with the post-graduate qualifications, and auditing and other
desired skill sets becomes an important strategy. This is professional certifications. After the first year, the CAE
illustrated in Table 5: Sample High-level Competency should be able to provide trends against the targets
Profile. and key performance indicators (KPIs) established in
agreement with the BOC.
Monitoring Phase
During the monitoring phase, the results of the strategic
competency plan are evaluated against defined targets and
key performance indicators.
Table 5: Sample High-level Competency Profile
SAMPLE HIGH-LEVEL COMPETENCY PROFILE

Result
Outcome Measure
Year 1 Year 2 Year 3
Specific Strategies
Boost proportion of Percentage of staff with tertiary qualifications 77% 97% 97%
qualified staff Percentage of staff with post-graduate qualifications 30% 67% 70%
Increase the percentage Percentage of staff with auditing certifications (CIA, CISA, CGAP) 10% 21% 23%
of certified staff Percentage of staff with accounting certifications (CPA, CA) 37% 39% 40%
Achieve greater links to
Percentage of staff with professional memberships 70% 91% 100%
professional bodies
Average years of auditing experience – overall 9 years 11.5 years 12 years
Grow years of auditing Average years of auditing experience – senior leaders 18 years 19 years 20 years
experience Average years of auditing experience – supervisors 13.5 years 14 years 14 years
Average years of auditing experience – other auditors 5 years 6.5 years 7 years
Grow high-potential talent Percentage of staff placed from a graduate recruitment program 7% 18% 18%
Ancillary Outcomes
Percentage of staff who are women 27% 42% 40%
Alter gender imbalance
Percentage of women in leadership roles 23% 50% 47%
How the Audit Function Team is Shaped – Three-Year Trend
Stalwarts 40%
Original team members 31%
Original team members who had spent time away on secondment 9%
Additions 60%
Recruited from outside the entity 30%
Recruited from other areas of the entity 9%
Sourced from Graduate Program 18%
Returned from overseas secondment 3%
Total 100%
A detail-level profile provides an opportunity to showcase expertise across the audit function by summarizing at a high level
the business background (capturing the skills, public sector knowledge, and experience throughout their career), time and
current position at the organization, years of specific auditing experience (both internal and external audit), the qualifica-
tions (both undergraduate and postgraduate), and professional certifications (auditing and others). A partially populated
detail-level profile is provided in Table 6: Sample Detail-level Competency Profile.
Table 6: Sample Detail-level Competency Profile
SAMPLE DETAIL-LEVEL COMPETENCY PROFILE

Years at Auditing
Level/Name Prior Business Experience Qualifications Certifications
Your Entity experience
CAE
19 years, including
25 years in public sector, 12 years internal
BS Business CIA, CISA,
previously 10 years in finance auditing and 7 years in
George 7 years CGAP, CFSA,
sector working in London, external auditing, with M Accounting CFE
New York, and Sydney. 10 years in senior audit
management roles
Audit Leadership
Early 6-year career in Financial and
marketing drumming up new operational auditing
Ringo business; 1 year as acting CFO 17 years for 22 years, with BS Accounting CIA, CGAP
in energy sector; then transi- senior managerial
tioned to internal auditing. roles for 8 years
10 years in business support BS IT
IT auditing for
John areas for information systems 3 years CISA
16 years MS IT
before transitioning to IT audit.
Audit Supervisors
15 years internal
Spent 8 years with major
auditing, specializing BA
accounting firm before
Paul 5 years in business CIA, CGAP
transitioning to internal audit MBA
improvement and
in the public sector.
assurance frameworks
Auditors
Information for each staff auditor should be filled out in a similar manner.
Average of
Overall Summary Average of 18 years 100% 100%
8 years
Step 12 – BOC Endorses and Monitors the Strategic Competency Plan

For a BOC to fulfill its typical charter requirements with respect to the competency, performance, and contribution of the
audit function, its members need to review and challenge the analysis, narrative, and conclusions contained in the CAE’s
strategic competency plan. Once the BOC is satisfied that the strategic competency plan is congruent with their vision,
direction, and expectations, it should formally endorse the plan.
Steps should then be taken for the BOC to monitor the implementation of the strategic competency plan, with the CAE
required to produce periodic (i.e., semi-annual) updates against the agreed targets and KPIs.
See Appendices A and B for practical IA-CP applications.
Appendix A The OCA has an audit staff made up of full- and part-time
auditors and administrative staff.
City of Austin, Texas (United States): Competency Process

Strategic Competency Plan Process
OCA recognizes that today’s auditor must possess
Background the needed knowledge, skills, and abilities (KSAs) or
competencies to obtain key insights related to their audit
The City of Austin, Texas, chartered in 1839, has a environment, including threats and opportunities that are
council-manager form of government with a mayor and present, evolving, or on the horizon.
six council members. The mayor and council members
are elected at-large for three-year staggered terms with a To address this competency issue, Austin’s OCA
maximum of two consecutive terms. The city manager, ap- conducts a self-analysis to determine critical resource
pointed by the city council, is responsible for managing availability. The city’s strategic planning efforts provide
all city employees and the administration of city the basis for OCA’s planning efforts — seeking to align
affairs with the exception of the city auditor, city clerk, the plan with the ideals and direction captured in the
municipal court, and municipal court judge. City’s Imagine Austin Comprehensive Plan.
The city provides a full range of services including Flowing from that plan, a strategic competency plan is
financial administration, public safety, transportation, developed by identifying the competencies that are
aviation, planning and development, sustainability, health required and available. Where gaps are identified,
and human services, public recreation and culture, strategies are employed to obtain that competency through
library, urban growth management, electric, water, waste- recruiting efforts, developing current staff, or hiring
water, watershed protection, public works, convention, subject matter experts (SMEs).
and animal services.
These identified competency “need” areas drive changes
Office of the City Auditor to job descriptions and postings, determine individual and
The Office of the City Auditor (OCA) seeks to assist office wide training plans, and dictate specifications in the
the Austin City Council, citizens, and city manage- requests for qualifications for SMEs who can provide the
ment in establishing accountability and transparency. competencies needed to complete specialized, critical, or
The dynamic city of Austin, Texas, is growing and has time-sensitive projects (see Figure 1: Flowchart – OCA
navigated through recent economic challenges, emerging Strategic Competency Plan). This plan is multifaceted in
relatively unscathed. that competency is viewed from three perspectives — the
auditing profession as a whole, the audit entity, and the
Nonetheless, the city faces many challenges and individual auditor.
opportunities in the years ahead. The global financial
crisis and lingering concerns about the stability of global The OCA Strategic Competency Plan identifies six areas of
financial systems continue to have serious impacts in both key competency and details the objective, focus, and imple-
the private and public sectors. In today’s environment, mentation strategy to achieve improvement in each area. This
especially with rapid changes in the cyber world, the competency plan will provide the opportunity to enhance the
challenge is that issues not currently present could capacity of each auditor and, therefore, OCA to provide in-
become threats in a short amount of time. sightful audits and services to stakeholders as they are needed.
The training and developmental initiatives identified in the plan focus on strengthening existing competencies
through core training and developing skills specific to city systems and functions. Continuous improvement of core
audit skills will always be a key part of the action plan. The goal is for staff to achieve a thorough understanding
of COSO’s Internal Control–Integrated Framework. In addition, OCA seeks to develop SME skills through
specialized training, as well as through the recruiting and hiring process.
Figure 1: Flowchart – OCA Strategic Competency
IMAGINE AUSTIN COMPREHENSIVE PLAN
OCA AUDIT PLAN
OCA STRATEGIC
COMPETENCY PLAN
Competency
Required GAP Competency
Available
Job Descriptions
Strategies to Acquire
Needed Competency
Recruiting Development Subject Matter Experts

(SMEs)
Job Postings Training Plan Qualifications
The city auditor ensures that the organizational structure, developmental initiatives, and programs are congruent with
what is required to effectively and efficiently achieve planned objectives. To effectively and efficiently achieve the goals of
the audit plan, highly qualified resources are required as illustrated in Table 7: OCA Strategic Competency Plan.
KEY COMPETENCY AREAS
Regulatory Matters
Cybersecurity
Sustainability
Construction
Financial
Core
Table 7: OCA Strategic Competency Plan
OBJECTIVES
To ensure that OCA staff possesses the knowledge, skills, and other competencies needed to perform
√ √ √ √ √ √
responsibilities as required by U.S. Generally Accepted Government Auditing Standards (GAGAS).
To increase audit capability to address specific risk areas. √ √ √ √ √
COMPETENCY FOCUS
Audit methodologies (including root cause analysis, internal controls, and data analysis). √ √ √ √ √ √
Evidence standards. √
Communications (including interviewing and report writing). √
Project management. √
Develop audit capabilities that comply with applicable GAGAS standards and address operational and strategic
√ √ √ √ √ √
risks. Also, as appropriate, IPPF and AICPA standards.
Strengthen staff insight of critical risk areas and understanding of key city systems. √ √ √ √ √
IMPLEMENTATION STRATEGY
Require supervisory staff and above to hold relevant audit certification. √
Provide cost-effective core audit competency training. √ √ √ √ √ √
Identify OCA staff to develop insights into critical risk areas and key city systems. √ √ √ √ √
Provide cost-effective baseline and advanced training in critical risk areas and city priorities. √ √ √ √ √
Encourage CISA certification. √
Appendix B
Table 8: Australian Government Central Agency Strategic Competency Plan Process
STEPS ACTIONS TAKEN
• Experienced and capable board leadership was in place.

• The board determined that an experienced professional CAE was needed if they were to deliver the audit
Step 1 – Assess the balance
function vision.
of skills within the board.
• In particular, the board was seeking someone to provide strong professional leadership to a large audit function
that had teams spread across four states.
• The BOC (in this case the audit committee) was apprised of better practice guidance published by the auditor
general of Australia on Public Sector Audit Committees: Having the Right People is the Key.
• The contribution of the audit function was benchmarked against leading practices, and opportunities for
strengthening existing arrangements were determined.
Step 2 – Assess the
organization’s needs. • Based on an IA-CM assessment, the internal audit function was operating below expectations, close to Level 2
(Infrastructure).
• The requirements of the audit function to deliver at a basic level were established, and the audit committee
further agreed with the CEO on the aspiration to create an internal audit function that was of a “world-class”
level.
• By aligning the “world-class” vision to the IA-CM, the audit committee determined that it would need to establish
strategies to move the audit function through Level 3 (Integrated) to Level 4 (Managed), and ultimately toward
Step 3 – Identify desired Level 5 (Optimized).
IA-CM level and scope of
responsibility and authority. • Based on risk-based assurance mapping, the audit committee determined that the coverage of the audit function
needed to be broadened to cover emerging technology and business-specific risk areas, and recognized that this
would require different auditing skills.
• It is a legislative requirement at the federal (national) level in Australia to maintain an audit committee.
• The audit committee had been well established and was functioning at a high standard, with a highly competent
Step 4 – Select qualified
and experienced membership.
BOC.
• The audit committee contained a multidisciplinary skill set with a mix of financial, technology, legal, business-
specific, and public sector skills.
Step 5 – Develop BOC • The audit committee charter was reviewed and amended to align to the Model Charter produced by the auditor
charter. general of Australia in Public Sector Audit Committees: Having the Right People is the Key.
Step 6 – Identify and recruit • An updated position description for the CAE was established in consultation with the audit committee and CEO. A
a qualified CAE. rigorous merit-based recruitment process was undertaken to secure an experienced career audit executive as CAE.
• The internal audit charter was reviewed and amended to align to the Model Charter produced by the auditor
general of Australia in the guidance, Public Sector Internal Audit: An investment in Assurance and Business
Step 7 – Develop internal Improvement.
audit charter.
• The internal audit charter provided for various types of internal audits, including performance, assurance,
and consulting engagements.
STEPS ACTIONS TAKEN
• The CAE developed a contemporary, risk-based program called the Forward Work Program covering the ensuing
12 months, which was accompanied by a menu of audits for the following two years.
• In addition to the proposed coverage for three years (above), an allowance of 20 percent of time was provided to
Step 8 – CAE develops a
accommodate emerging risk areas, new business, and management-initiated requests (at the discretion of the
strategic competency plan.
CAE in consultation with the audit committee).
• A strategic competency plan was formulated based on the approved Forward Work Program. The plan articulated
the skills that would be required to tackle the proposed audits over the ensuing three years.
• The CAE developed a skills matrix that identified the current skills available throughout the audit function and
Step 9 – CAE identifies those available through existing contracts with third-party specialist suppliers.
existing competencies. • The skills matrix contained a blend of current competencies that were business specific, together with those
required for professional auditing.
Based on the competency analysis, the CAE identified competency gaps at four distinct levels.
• There were flaws in the current staffing competency to complete the existing Forward Work Program. The CAE
established a professional development plan to specify the holistic and individual training needs over the ensuing
three years, and the CAE arranged for tailored training courses to be conducted. As an example, the first phase
of the professional development plan recognized that auditing staff did not have strong all-around
communication skills (e.g., interviewing, presentation, listening and body language, and report writing skills.
They also did not have a consistent appreciation of soft skills, and their knowledge of professional auditing
standards was fragmented).
Step 10 – CAE identifies • The staffing composition was substantially of an accounting nature, whereas the Forward Work Program required
competency gaps. a multidisciplinary skill set. The job redesign undertaken by the CAE produced updated position descriptions to
use in a targeted recruitment program.
• A small percentage of staff held auditing-specific certifications (e.g. Certified Internal Auditor, Certified
Government Auditing Professional, Certified Information Systems Auditor, and Certified Fraud Examiner). The
CAE aspired to at least double the percentage of auditing certifications over the ensuing three years and then
appropriate mechanisms and incentives were put in place to achieve this goal.
• While 15 percent of the financial budget was available to secure specialist providers (when it was not financially
prudent to retain the competencies in-house), the contract panel was not broad enough to cover future needs.
A new contract panel was established.
• As the CAE rebuilt the audit function, it was appropriate to showcase the talent available through a profile of staff
competencies. This was an important step in lifting the confidence that the audit committee had in the audit
function’s overall competency. The profile was produced semi-annually initially (during the rebuilding phase) and
annually (once stability of staffing was achieved).
Step 11 – BOC reviews audit
• The profile delivered to the audit committee contained three sections — the leadership team, the team leaders
function competency profile.
and supervisors, and the auditing cohort. The profile provided a foundation for high-level
discussions on succession planning arrangements.
• Based on the profile, the CAE was able to demonstrate staffing trends, including years of auditing experience,
percentage of staff qualified, and percentage of staff with auditing certifications.
STEPS ACTIONS TAKEN
• The CAE discussed the SCP and related plans at the audit committee meeting and articulated how these would
collectively enable achievement of the vision, internal audit charter requirements, and the Forward Work Program.
Step 12 – BOC endorses The audit committee endorsed the planning suite.
and monitors strategic • The balanced scorecard reporting approach adopted by the CAE captured key targets and key performance
competency plan (SCP). indicator (KPI) measures associated with the planning suite, including the professional development plan,
multidisciplinary skill set, auditing certifications, and third-party services. The audit committee monitored the
trends in the balanced scorecard report on a quarterly basis.
An external quality assessment review — completed on this audit function within five years after the CAE was
recruited and implemented the planning suite — confirmed the successes achieved.
Notably:
• The audit activities were recognized as being consistent with world-class auditing in most areas, thus achieving
the vision that had been agreed with the CEO and audit committee.
Outcome
• Most elements of the IA-CM were rated at an optimized level, with two elements rated as managed and bordering
on optimized.
• Professional auditing standards were consistently applied across all sites.
• The key stakeholders, including the audit committee and CEO, recognized the transformation and rated the audit
function as providing “value for money.”
Appendix C
Resources
Related IIA Guidance

Code of Ethics Competency is a Principle and a Rule of Conduct
• Principle – Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit activities.
• Rule of Conduct – Internal auditors:
›› Shall engage only in those services for which they have the necessary knowledge, skills, and experience.
›› Shall perform internal audit services in accordance with the International Standards for the Professional Practice of
Internal Auditing.
›› Shall continually improve their proficiency and the effectiveness and quality of their services.
Global Public Sector Insight: Independent Audit Committees in Public Sector Organizations (The IIA, 2014).
https://global.theiia.org/standards-guidance/leading-practices/Pages/Independent-Audit-Committees-in-Public-Sector-
Organizations.aspx
Global Public Sector Insight: Policy Setting for Public Sector Internal Auditing in the Absence of Government Legislation (The IIA, 2014).
https://global.theiia.org/standards-guidance/leading-practices/Pages/Policy-Setting-for-Public-Sector-Auditing-in-the-Absence-
of-Government-Legislation.aspx
Global Strategic Planning Document 2012–2016, The IIA.

https://na.theiia.org/committees/Committee%20Documents/IIA_Strategic_Planning_Document.pdf
Internal Auditor Competency Framework, IIA–Australia, July 2010.

https://www.iia.org.au/sf_docs/default-source/learning-development/Internal_Audit_Competency_Framework.pdf?sfvrsn=0
Leading Practices: Transparency of the Internal Audit Report in the Public Sector (The IIA, 2012).
https://global.theiia.org/standards-guidance/leading-practices/Pages/Transparency-of-the-Internal-Audit-Report-in-the-Public-
Sector.aspx
Position Paper, The Role of Internal Auditing in Resourcing the Internal Audit Activity (The IIA, 2009).
https://global.theiia.org/standards-guidance/Public%20Documents/PP%20The%20Role%20of%20Internal%20Auditing%20
in%20Resourcing%20the%20Internal%20Audit%20Activity.pdf
Practice Advisory 1200-1: Proficiency and Due Professional Care.

Practice Advisory 1210-1: Proficiency.

Practice Advisory 1220-1: Due Professional Care.

Practice Advisory 1230-1: Continuing Professional Development.

Practice Guide: Chief Audit Executives Appointment, Performance, Evaluation, and Termination (The IIA,2010).
https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/CAESAppointment-Performance-
Evaluation-and-Termination-Practice-Guide.aspx
Practice Guide: Developing the Internal Audit Strategic Plan (The IIA, 2012).
https://global.theiia.org/standards-guidance/recommended-guidance/practice-guides/Pages/Developing-the-Internal-Audit-
Strategic-Plan-Practice-Guide.aspx
Supplemental Guidance: Implementing a New Internal Audit Function in the Public Sector (The IIA, 2012).
https://global.theiia.org/standards-guidance/leading-practices/Pages/Implementing-a-New-Internal-Audit-Function-in-the-
Public-Sector.aspx
Supplemental Guidance: Value Proposition of Internal Auditing and the Internal Audit Capability Model (The IIA, 2012).
https://global.theiia.org/standards-guidance/leading-practices/Pages/Value-Proposition-of-Internal-Auditingand-the-Internal-
Audit-Capability-Model.aspx
The IIA’s Global Internal Audit Competency Framework.

https://global.theiia.org/about/about-internal-auditing/Pages/Competency-Framework.aspx
Research: The Institute of Internal Auditors Research Foundation (IIARF)
Insight: Delivering Value to Stakeholders
Internal Audit Capability Model (IA-CM) for the Public Sector.
Nine Elements Required for Internal Audit Effectiveness in the Public Sector.
The IIA’s Global Internal Audit Survey: Core Competencies for Today’s Internal Auditor
Authors, Contributors, and Reviewers

Authors:
Bruce Turner, CGAP, CRMA, CISA, CFE, PFIIA (Aus)
Kenneth J. Mory, CIA, CPA, CISA, CRMA
Audrey Donavan, CIA, CRMA
Contributors and Reviewers:

Christie J. O’Loughlin, CGAP, CRMA
Paul J. Duggan, CA, CIA, CISA
Elizabeth (Libby) MacRae, CGAP
Established in 1941, The Institute of Internal The IIA publishes this document for
Auditors (IIA) is an international professional informational and educational purposes.
association with global headquarters in Altamonte This guidance material is not intended to
Springs, Fla., USA. The IIA is the internal audit provide definitive answers to specific individual
profession’s global voice, recognized authority, circumstances and, as such, is only intended to
acknowledged leader, chief advocate, and be used as a guide. The IIA recommends that you
principal educator. always seek independent expert advice relating
directly to any specific situation. The IIA accepts
About Practice Guides no responsibility for anyone placing sole reliance
Practice Guides provide detailed guidance for on this guidance.
conducting internal audit activities. They include
detailed processes and procedures, such as tools Copyright
and techniques, programs, and step-by-step Copyright ® 2015 The Institute of Internal
approaches, as well as examples of deliverables. Auditors. For permission to reproduce, please
Practice Guides are part of The IIA’s IPPF. As contact guidance@theiia.org.
guidance, compliance is not mandatory, but it is
strongly recommended, and the guidance is
approval processes. For other authoritative
visit our website at www.globaliia.org/
standards-guidance

247 Maitland Ave. F: +1-407-937-1101
140590

Practice Guides

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Practice Guides

Uploaded by

Copyright:

Available Formats

Practice Guides

Practice Guides—Public Sector

Understanding the Context of and

The Role of Internal Audit in Providing

Identifying and Analyzing Relevant Governance

Developing the Periodic Plan for Auditing Governance..................................... 7

Planning and Completing Governance Engagements..................................... 10

Considerations by Specific Governance Activity............................................ 17

Appendix — Board Risks, Control Objectives, Pratices................................. 22

Authors and Reviewers................................................................................. 26

Executive Summary The Role of Internal Audit in Providing Assur-

• Organizational independence. External assurance providers such as external auditors,

• Assess compliance with required governance activities. Legal Involvement

Attribute Evidence to Consider

Attribute Evidence to Consider

Structures, • Articles of formation (incorporation), bylaws, operating agreements, etc.

Attribute Evidence to Consider

Attribute Evidence to Consider

Results, Stakeholder • Financial reports both external and internal.

Automation • IT governance/risk/control program and processes.

Workpaper Documentation If the assessment yields legally or politically sensitive re-

6.6 Organizational Accountability financial, customer, internal business operations, employ-

with the management decision-making style and culture,

There are several widely recognized IT governance frame-

ISO 38500 – Corporate Governance of Information Technol-

COBIT 5 – Control Objectives for Information and Related

Global Technology Audit Guides (GTAGs) are Internation-

Appendix — Board Risks, Control Objectives, Practices

Risks/Events Control Objectives Practices

Practices are in place to ensure the right mix of

Backgrounds of potential board members are

Term limits are strictly enforced to ensure

Failure of board members to The board charter, policies, roles and

Board members periodically visit the

Risks/Events Control Objectives Practices

An agenda is followed and minutes are kept for

Action Dockets or similar methods are used to

Calendars are maintained to keep board

Individual evaluations and board assessments

Risks/Events Control Objectives Practices

The chairman of the board position is held by

This is considered a best practice and is

The board regularly interacts with the internal

There are a sufficient number of nonexecutive

Unknown or unanticipated To ensure board members Risk assessments conducted by the

Board members conduct their own risk

Risks/Events Control Objectives Practices

Sufficient time is allowed for debate prior to

Surveys are conducted to identify primary

Primary stakeholders are allowed to attend

A succession planning process exists for the

Board review and approval of organization

Authors and Reviewers

global headquarters T: +1-407-937-1111

Risk Management in the Organization........................................................ 2

Internal Auditing and Risk Management..................................................... 5

Internal Audit Review of Risk Management................................................ 6

Obtaining Audit Evidence............................................................................. 8

Assurance of the Risk Management Process............................................. 9

Assessing the Quality of

Reviewers & Contributors.......................................................................... 14

Figure 1 Framework for Managing Risk (ISO 31000)

Internal Audit Review of Risk Assurance on the Risk Management Process