The Internal Auditor’s Interaction with Role-players

Material: Chapter 4 in Coetzee et al

1
 • See p. 64
• Some important points:
The Internal Auditor’s Interaction • “[G]ood human relation skills are essential
with Role-players for professional success [in internal
Introduction auditing]”
• Internal auditors must understand the
people and groups they interact with to
achieve their (the auditors’) objectives
• Internal auditors often seem to threaten
others’ security due to the nature of their
work
• So they must be sensitive to other people’s
needs, and know how to integrate the needs
of individuals and subgroups with the overall
needs of the organisation

2
 • Some important points:
• Internal auditors must be able to
The Internal Auditor’s Interaction
communicate well, express their thoughts
with Role-players in a logical manner, and work in a team
Introduction • P. 64: “Good relationships with the staff
and management of the engagement
client, the board of directors, the audit
committee…[and]…the external
auditors…is essential.”
• This chapter deals with the most
important groups with which internal
auditors interact, being the above groups

3
 • See 4.2 on p. 65

The Internal Auditor’s Interaction

with Role-players
Public versus private sector
organisations

4
 • The board of directors determines the
organisation’s strategy and direction
The Internal Auditor’s Interaction • The responsibility for an organisation’s
with Role-players activities resides with the board
1. With the board of directors • And it is the organisation’s governing
body, to which the CAE should report
functionally
Why must the IA activity • “Functional reporting” includes the
report directly to the
board? following:
See p. 66 • Approving of the internal audit charter
• Communicating of the audit engagement
results
• Approving the appointment of the CAE
• Determining remuneration of staff
• Reporting scope limitations

5
 • The board should consist of executive
and non-executive directors
The Internal Auditor’s Interaction • See p. 66 for explanations of:
with Role-players • The difference between executive and non-
executive directors
1. With the board of directors
• The term “independent non-executive
director”
• See the diagram on the next slide

6
 The Internal Auditor’s Interaction with Role-players
1. With the board of directors

Board composition “rules”

Board of • Why are they

directors needed?
• Should be
majority
• Why?

Non-
Executive
executive
directors
directors
• CEO, CFO, COO,
etc. • Should be
• Why are they majority of the
needed?
Independent
“Plain” non- non-executives
• At least the CEO +
non-
executives
one more
executives
7
 • Some further “rules”
• The chairman should be an
The Internal Auditor’s Interaction independent non-executive director
with Role-players
• Size of the board
1. With the board of directors
• Directors should have a variety of
Audit
qualifications/experience
Audit
committee
committee
• The board can form sub-committees
to assist itself, and the common
Social
Social and
and
ethics
ethics
committee
committee
Nomination
Nomination
committee
committee
ones are:
Board of • Audit committee – see slide 15
directors
• Nomination committee
• Composition: all members should be non-
executive directors, with the majority also
Remuneration
Remuneration
Risk
Risk committee
committee committee
committee being independent

8
 • Some further “rules”
• Common sub-committees:
The Internal Auditor’s Interaction • Remuneration committee
with Role-players • Should decide the remuneration for
1. With the board of directors executive directors (the people who make
lots of money), and recommend the
remuneration for non-executive directors
• Composition: all members should be non-
executive directors, with the majority also
being independent
• Risk committee
• Often combined with the audit committee
to form an audit and risk committee
• Composition: executive and non-executive
members, with the majority being non-
executive directors

9
 • Some further “rules”
• Common sub-committees:
The Internal Auditor’s Interaction • Social and ethics committee
with Role-players • Composition: executive and non-executive
1. With the board of directors members, with the majority being non-
executive directors

10
 • The responsibility (and risk of liability) of
directors has increased in recent years
The Internal Auditor’s Interaction
• The board relies on the internal audit activity
with Role-players to provide reasonable assurance that
governance, risk management and control
1. With the board of directors
processes are adequate and effective
• Per Standard 2060 the CAE periodically should
report to the board and senior management
on the internal audit activity’s purpose,
authority, responsibility and performance
relative to the activity’s annual plan
• Reporting should include significant risk exposures
and control issues, governance issues and other
matters needed or requested by the board and
senior management

11
 • Guide 2060-1 provides further guidance
The Internal Auditor’s Interaction
with Role-players
1. With the board of directors
on the relationship between the
internal auditors and the board
• Best practice includes the following:
• The CAE should submit annual activity reports,
based on the approved internal audit activity
plan, to senior management and the board
• The CAE should communicate significant
engagement observations (including
recommendations) regarding risk and control
to the board
• The board should be informed of senior
management’s decisions on significant
observations and recommendations, especially
when internal auditing believes that senior
management has accepted an unacceptably
high level of risk
12
 • Guide 2060-1
• Best practice includes the following:
• The CAE should consider whether it is
The Internal Auditor’s Interaction
with Role-players appropriate to inform the board about
previously reported significant observations
1. With the board of directors and recommendations in instances where
senior management and the board have not
corrected the reported condition
• P. 67: “A close relationship between the
[internal] audit team and the directors
is therefore needed for internal
auditors to be effective in an
organisation. They should have free
access to the board…without
operational management being
present.”
13
 • Subcommittees assist the board of directors
with various tasks
The Internal Auditor’s Interaction
• One of those sub-committees, namely the
with Role-players audit committee, is closely linked to the audit
activities (internal and external), so the next
1. With the board of directors
section will deal with the internal auditor’s
relationship with that committee

Don’t get the internal

audit activity and the
audit committee mixed
up!

14
 • The audit committee is a required sub-
committee of the board
The Internal Auditor’s Interaction
• On p. 68:
with Role-players • “If the audit committee and the internal auditors
work closely together, the likelihood of
2. With the audit committee independence and objectivity in audit
engagements and report will increase. The
reason…is the composition of the audit
committee and the fact that its chair and…its
members should be [independent] non-executive
directors.”
• “Without a strong audit committee, the
independence of the internal audit activity is
questionable and the findings of the internal
audit activity may not be addressed properly by
the board or senior management.”
• The audit committee should have a charter
• See p. 69 for an example

15

The Internal Auditor’s Interaction
with Role-players
2. With the audit committee
• The relationship between the internal
audit activity and the audit committee
normally is managed by the CAE
• It’s not just about having an audit
committee – it must be effective
• A few guidelines:
• All the members should be independent non-
executive directors
• So the CAE should not be member
• Three to five members
• A committed, competent chairperson is very
important
• At least one member should be a financial
expert
• Should meet at least three times per annum
16
 • It’s not just about having an audit
committee – it must be effective
The Internal Auditor’s Interaction • A few guidelines:
with Role-players • Meetings should be well-planned and of
sufficient length
2. With the audit committee
• The CEO, CAE and external auditor should
attend meetings when requested
• The performance of the audit committee
should be evaluated on a regular basis

17
 • The functions of the audit
committee
The Internal Auditor’s Interaction • Overall
with Role-players
• The committee should exercise
2. With the audit committee oversight over the organisation’s:
• Accounting function
• External audit process – see slide 19
• Internal audit activity – see slides 20 and
21
If these things work,
the organisation’s
financial reporting is
much more likely to be
truthful

18
 • The functions of the audit
committee
The Internal Auditor’s Interaction • Re the external audit process
with Role-players
• The committee should:
2. With the audit committee • Help with the selection (or removal) of
the auditor
• Review the audit fee
To a large extent about
promoting auditor
• Approve non-audit services provided by
independence the external auditor
• Meet with the auditor before and during
the audit
• Review financial statements

19
 • The functions of the audit
The Internal Auditor’s Interaction
with Role-players
2. With the audit committee
committee
• Re the internal audit activity
• The committee should:
• Approve the internal activity’s charter
• Review and approve the internal audit
activity’s objectives, plans, organisational
structure and resource requirements
• Assess the staffing of the internal audit
activity
• Directly communicate with the CAE, who
regularly should attend and participate in
meetings
• Assess the level of coordination between
the internal and external audit functions
20
 • The functions of the audit
The Internal Auditor’s Interaction
with Role-players
2. With the audit committee
committee
• Re the internal audit activity
• The committee should:
• Advise on the appointment and dismissal
of the CAE
• Review the internal auditors’ evaluations
of governance, risk management and
control processes
• Recommend any changes to the internal
audit approach
• Oversee the internal control system and
consider material comments and
recommendations in internal audit
reports
21
 • The role of internal auditing in
supporting the audit committee
The Internal Auditor’s Interaction • See p. 70
with Role-players
• Communication between the audit
2. With the audit committee committee and internal auditing
• Guidance
• The audit committee should meet privately
with the CAE on a regular basis to discuss
sensitive issues
• The CAE should provide an annual summary
report on the results of the audit activities
relating to the defined mission and scope of
audit work
• The CAE should issue periodic reports to the
committee, summarising the results of all of
internal auditing’s audit activities

22
 • Communication between the audit
The Internal Auditor’s Interaction
with Role-players
2. With the audit committee
committee and internal auditing
• Guidance
• The CAE should keep the audit committee
informed of emerging trends and successful
practices in internal auditing
• Together with the external auditors, the CAE
should discuss the fulfilment of the
committee’s information needs
• The CAE should review information submitted
to the committee for completeness and
accuracy
• The CAE should inform the committee
whether there is effective and efficient
coordination of activities between the internal
and external auditors
• The committee should be able to determine if there
is work duplication, and the CAE should provide
reasons for such duplication
23
 • Here “management” refers to the operating
executives of an organisation, rather than the
board
The Internal Auditor’s Interaction • There is a degree of overlap, of course
with Role-players
• P. 71: “Management’s support for internal
3. With management
auditing is crucial, in order to enable internal
auditors to perform their duties and support
the organisation in achieving its objectives.”
• Internal auditors may have a problem being
objective in their tasks
• They must not become involved in the operations
and decision-making processes of the organisation
• And must be free from undue influence by
management

24
 • To promote its independence, the internal
audit activity must report administratively to
the CEO, and functionally to the board of
The Internal Auditor’s Interaction directors (audit committee)
with Role-players
• We have looked at this before
3. With management

25

The Internal Auditor’s Interaction
with Role-players
4. With the engagement
client staff
• When performing engagements, internal
auditors rely on the organisation’s employees
to obtain the necessary information
• So good relationships with engagement client
staff are essential
• During an internal auditor’s interaction with
the organisation’s employees, conflicts
inevitably will arise
• Much of it due to attitudes towards internal
auditors – see p. 72
• The internal auditor needs to walk a tightrope:
he/she has to act as senior management’s
watchdog, but needs the staff members’ help
to get information
26

The Internal Auditor’s Interaction
with Role-players
4. With the engagement
client staff
• Reasons for conflict
• See p. 73
• So what can internal auditors do?
• They should develop good listening skills
• They should operate in such a way that
engagement staff see them as helpful
buffers, not as policemen
• Some methods:
• Control self-assessment
• Participative auditing

The Internal Auditor’s Interaction
with Role-players
5. With other assurance
providers (external auditors)
• Read the introduction on pp. 74 and 75
and Relationships with external
auditors on p. 75
• Comparison between internal and
external auditors
• See Table 4.2 on pp. 76 and 77
• The primary difference between internal
and external auditors is the overall
objective of their main activity
• External auditors
• Reporting to shareholders on the truthfulness (and
hence usefulness) of the financial statements
• Internal auditors
• Have a broader function, as discussed earlier
• Report to management and the board of directors
28
 • Advantages and benefits of
The Internal Auditor’s Interaction
with Role-players
5. With other assurance
providers (external auditors)
coordination between the internal and
external auditors
• Coordination can increase the
effectiveness and efficiency of the
organisation’s audit component
• Value of coordination for the external
auditor
• The internal auditors’ in-depth knowledge and
experience of the organisation enables the
external auditors to gain more insight into the
workings of the organisation
• Internal auditors’ assessment of the internal
control structure, as well as the system
descriptions, can assist external auditors to get
an overall view of the organisation, as well as
to identify areas that require extra attention
29
 • Advantages and benefits of
The Internal Auditor’s Interaction
with Role-players
5. With other assurance
providers (external auditors)
coordination between the internal and
external auditors
• Value of coordination for the internal
auditor
• The client relationship can be improved by a
better understanding of the organisation
• Areas that would require further investigation
by the internal auditors after the external
audit is done are identified by the external
auditors
• The external auditor’s appraisal of the internal
audit activity can enhance its status
• Effective coordination and reliance of external
auditors on internal auditors’ work can result
in savings on audit fees
• The internal auditors will be exposed to other
techniques and technical knowledge
30
 • The Institute of Internal Auditors’
position on coordination
The Internal Auditor’s Interaction • Performance standard 2050 reflects on the
with Role-players duty of the CAE to share information and
5. With other assurance coordinate efforts with other internal and
providers (external auditors) external providers of relevant assurance
and consulting services
• To ensure good coverage and minimise work
duplication
• Coordination is the responsibility of the
board of directors, but is usually delegated
to the CAE
• The board may also request the CAE to
assess the external auditor’s performance
• See p. 78 for more detail on this

31
 • The IIA’s position on coordination
• Organisations may use the work of the
The Internal Auditor’s Interaction
external auditors to provide assurance
with Role-players related to activities within the scope of
internal auditing
5. With other assurance
• The CAE then needs to understand the work
providers (external auditors) performed by the external auditors
• See p. 78
• Periodic meetings between the two
parties should be held to discuss:
• Audit coverage
• Access to each other’s audit programmes and
working papers
• Exchange of audit reports and the
management letter
• Common understanding of audit techniques,
methods and terminology

32
 • The external auditor’s reliance on
internal audit work
The Internal Auditor’s Interaction • Per ISA 610, external auditors have to
with Role-players consider the following before they can rely
5. With other assurance on the work of the internal auditors:
providers (external auditors) • Organisational status
• Scope of the function
• Technical competency
• Due professional care

33