10 Key Internal Audit Topics for Audit Committee Consideration
Total Page:16
File Type:pdf, Size:1020Kb
August 2013 Audit Committee Brief From the Business, Industry & Government Team 10 Key Internal Audit Topics for Audit Committee Consideration By Richard J. Anderson, MBA, CPA J. Christopher Svare Submitted to Journal of Accountancy the data as a springboard to take a forward look at the profession and suggest 10 areas for Introduction scrutiny and focus in the years ahead. One of an audit committee’s most important responsibilities is to oversee the organization’s Although developed for internal auditors, the internal audit function, which plays a major role Imperatives for Change report also suggests in the areas of risk management and corporate a roadmap of important topics for joint governance. Typically, a Chief Audit Executive, consideration by the audit committee and chief or CAE, will have a direct reporting line to audit executive. They also point to the linkages the audit committee, which has functional between topics and the need to consider the oversight of internal audit activities. To assist implications of their interrelationships. audit committees with this oversight, and to provide a strategic framework for the direction 10 Key Questions for Audit Committees and orientation of internal audit, the authors Outlined below are the 10 imperative topics for outline 10 suggested topics for discussion internal auditors recast into rhetorical questions between the CAE and the audit committee. for audit committees. Each question is followed These topics, framed as questions, stem by a short discussion of the topic, examples of from the results of the largest-ever global related internal audit activities, and additional survey of internal auditors, which identified 10 topics and/or questions for audit committee “imperatives” for internal audit focus. consideration. Every five years, the Institute of Internal Q1: What is the internal audit coverage of Auditors (the “IIA”) conducts its Global Internal the organization’s risk management and Audit Survey to gain a current snapshot of governance processes? the profession. The IIA’s most recent survey In recent years, internal auditors have been included responses from more than 13,000 increasing their focus on the risk management internal auditors around the world. During and governess processes of the organizations 2011, the Institute of Internal Auditors they audit and assess. At the same time, audit Research Foundation (IIARF) published a series committees have stepped up their interest in of reports to discuss the results of the global risk management and governance, reflecting survey. One report, “The Global Internal the heightened oversight of these areas on the Audit Survey, Imperatives for Change: The IIA’s parts of regulatory and supervisory bodies in Global Internal Audit Survey in Action,” used both the public and private sector. Given the aicpa.org/BIG Guidance from the Board importance of these areas, the audit committee their risk assessment and how responsive of Governors of the needs to evaluate the current and projected and flexible they are with their audit plans. In Federal Reserve System scope of internal audit coverage of risk addition to recommended changes to the audit on the relationship management and governance . plan, the audit committee needs to ensure between the risk that internal audit provides it with a rundown assessment and the In organizations in the initial stages of risk audit plan on changes to the organization’s risk profile management implementation, the role of internal or new emerging risks that are driving audit “Risk assessments audit is often that of a catalyst or facilitator to plan changes. By reviewing changes to the should be revised in help foster development of the organization’s organization’s risk profile, the audit committee light of changing market risk management processes. In such situations, conditions, or laws and can gain comfort that the recommended audit internal auditors’ knowledge of the organization regulations and updated plan changes will address current risks. during the year as and its risks can be very helpful. And as the changes are identified organization’s risk management processes mature, One further point: The audit committee should in the business activities internal audit can serve in more of an assurance have a clear understanding that the CAE’s role of the institution or capacity, providing audit coverage of the risk extends beyond audit plan execution to ensure observed in the markets practices that have been implemented. that the internal audit process is identifying in which the institution changes to the organization’s risks and operates, but no less On a similar note, internal audit also can provide addressing these risks on a timely basis. than annually. When advice and assurance over the organization’s the risk assessment governance processes. Of note, the IIA’s Q3: How does internal audit use technology to indicates a change in International Standards for the Professional enhance its auditing and monitoring activities? risk, the audit plan should be reviewed to Practice of Internal Auditing (the “Standards”) Technology tools are increasingly being used by determine whether the now require internal auditors to address both risk internal auditors to enhance both the efficiency planned audit coverage management and governance processes in their and effectiveness of their auditing activities. For should be increased or audit coverage. example, powerful data mining tools enable decreased to address internal auditors to perform audit tests on entire the revised assessment Q2: How responsive to change and flexible is populations of data as opposed to testing data of risk.” internal audit’s risk-based audit plan? samples alone. In addition, data mining tools Supplemental Policy on Internal auditors are required by the Standards enable internal auditors to monitor controls, the Internal Audit Function to conduct a risk-based audit plan. While there is and It’s Outsourcing, risk and fraud indicators, and performance January 23, 2013 no one approach to conducting risk assessments metrics. Given the scope of these capabilities, and developing the related audit plan, many many internal auditors find that such tools offer internal audit groups conduct an annual risk significant opportunities to improve and enhance assessment and prepare an annual audit plan. their auditing efforts. In today’s world of complex and dynamic risks, however, more and more internal audit groups Audit committees need to determine how are updating their risk assessments and audit their internal auditors are using technology, plans on a more frequent and timely basis their plans for leveraging technology further, than just annually. For example, survey results and what types of support the internal audit indicate that it is becoming more common for function needs to be successful. To make these internal auditors to update their audit plans determinations, the audit committee also on a quarterly basis. What’s more, a number of needs to be aware of the specialized skills and internal audit groups have moved to “rolling” budgetary support required by internal audit audit plans of that only cover six-month periods. to achieve its technology objectives. These By taking a more timely approach to their audit are all topics of possible inquiry by the audit planning, organizations are helping to ensure committee. that their audit coverage is focused at the most critical issues in a given time period. Q4: What is the strategic vision and plan for internal audit? The audit committee needs to understand how, With the rapid changes in commerce today, and with what frequency, internal audit updates strategic planning has taken a new and elevated aicpa.org/BIG focus in many organizations. Internal auditing is clearly what those expectations for adding value no different. For internal auditors to keep current are and then to tailor their processes to meet with new developments in auditing, technology those expectations. and business, they must plan effectively. As the IIA Global Survey indicates, “A well-conducted For any internal audit function, providing strategic planning exercise will allow the CAE assurance is a core and expected value to develop his or her mission and various driver. But what other types of value do approaches and strategies to achieving that stakeholders expect internal audit to provide? mission.” For example, some internal auditors today add value by providing high quality talent to To assess the strategic orientation of their their organizations. Others assist management internal audit functions, audit committees should by providing monitoring and data mining ask questions such as these: capabilities that contribute to improved business- unit performance, or assist in enhancing risk • What is internal audit’s vision for the near- management and governance processes. and mid-term future? • Does internal audit have a strategic plan? Irrespective of the specific value drivers of an • How does internal audit plan to keep pace organization, however, there should be clarity with the risks and processes in the business? and agreement among internal audit, executive • Has internal audit identified gaps between management and the audit committee as to where its processes and practices are today stakeholder expectations and the specific and where they need to be in the 3-5 years? internal audit activities to which stakeholders • Does the internal audit strategy align with and ascribe value. It’s then up to internal audit