Overview of Internal Audit
- 1. Information Technology Audit Business Practice Training Sean D. Obi, CISA, CISM, PMP IT Audit | IT Risk | IT Compliance Understanding basic approaches towards Information Technology review @seanpizzie 1 www.techembro.com @techembro
- 2. Internal Audit - Introduction Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The internal audit program provides assurance that internal controls in place are adequate to mitigate risks, governance processes are effective and efficient, and organizational goals and objectives are being met. @seanpizzie 2 www.techembro.com @techembro
- 3. Internal Audit – Introduction (Cont’d) Internal auditing bridges the gap between management and the executive leadership or the board of an agency; assesses the ethical climate and the effectiveness and efficiency of operations; and serves as an organization’s safety net for compliance with rules, regulations, and overall best business practices. Internal audits are performed by professionals employed by the agency who have an in-depth understanding of the business culture, systems, and processes. The internal audit function is an integral part of the agency and derives its authority from senior management. It serves to promote objective, comprehensive review coverage, and to assure the consideration of audit recommendations. @seanpizzie 3 www.techembro.com @techembro
- 4. Internal Audit – Introduction (Cont’d) The chief audit executive (CAE) is the person within an agency with overall responsibility for the internal audit program. The CAE is responsible for developing the internal audit charter, staffing, administering, and managing the internal audit program to ensure it operates in accordance with professional standards and adds value to the organization. The CAE reports to the agency director or board significant nonconformance of professional standards that impacts the overall scope or operation of the internal audit program. Depending on an agency’s governance structure, an audit committee may be used to help the agency review, monitor, and/or direct the agency’s activities related to maintaining effective internal control. An agency audit committee could also improve financial practices and reporting, and enhance both the internal and external audit functions.@seanpizzie 4 www.techembro.com @techembro
- 5. Internal Audit – Introduction (Cont’d) The internal auditor or other professionals (internal or external to the agency) may provide assurance and advisory support to management in areas such as developing appropriate procedures to conduct risk assessments and internal reviews of control activities. External auditors are not part of an agency’s internal audit program and cannot be a replacement for or supplement to an adequate internal audit program. The role of the external auditor is to provide independent accountability and assurance to the public and external stakeholders. However, this independent assurance is also valuable feedback to those charged with governance and agency management. @seanpizzie 5 www.techembro.com @techembro
- 6. Professional audit standards The internal audit program must conform to either the International Standards for the Professional Practice of Internal Auditing and Code of Ethics (IIA Red Book), Generally Accepted Government Auditing Standards (GAO Yellow Book), or both. Regardless of which set of standards are adopted, the internal auditing program should adhere to the following core principles and mandatory attributes of internal auditing. @seanpizzie 6 www.techembro.com @techembro
- 7. Professional audit standards Core principles Demonstrates integrity Demonstrates quality and continuous improvement Demonstrates competence and due professional care Communicates effectively Is objective and free from undue influence Provides risk-based assurance Aligns with the strategies, objectives, and risks of the organization Is insightful, proactive, and future-focused Is appropriately positioned and adequately resourced Promotes organizational improvement @seanpizzie 7 www.techembro.com @techembro
- 8. Professional audit standards Common mandatory attributes Organizational independence Individual objectivity Proficiency and due professional care Quality assurance and improvement program @seanpizzie 8 www.techembro.com @techembro
- 9. Internal and external auditors As an integral part of the organization, internal auditors possess an in- depth understanding of the agency’s culture, operations, strategies, and risks. External auditors gain an understanding of operations only as needed to inform their specific audit. Some key differences between internal and external auditing to consider in coordinating efforts include: Internal audit Staffed by employees or contractors of the agency. Mandated to provide assurance and advice to senior management (and board, if applicable) to improve the state of governance, risk management, and control within the agency. Focused on all functions and operations of the agency. Required to meet audit standards for organizational independence. Provide continuous services to management. @seanpizzie 9 www.techembro.com @techembro
- 10. Internal and external auditors External audit Staffed by employees or contractors of the external audit organization. Mandated by authorizing law, rule, or other authority to provide assurance to external stakeholders (the public, legislature, federal regulators, etc.) on the accuracy of agency reports, compliance with laws and rules, and efficiency of operations. Focused on areas stipulated by statute, rule, or authority. Independent of the agency. Audits may be intermittent or routine such as the end of a fiscal period or grant period. @seanpizzie 10 www.techembro.com @techembro
- 11. Components of an Internal Audit Charter What is an Audit Charter? Internal audit functions play a vital role in providing assurance of an organization’s risk management practices and protecting and enhancing organizational value. The internal audit charter is a formal document that clearly defines and articulates “marching orders” for the internal audit function from the governing body (typically the audit committee) and management. It should be reviewed and approved by the governing body on an annual basis. The charter must define, at minimum, the following items: @seanpizzie 11 www.techembro.com @techembro
- 12. Components of an Internal Audit Charter “Cont’d” Internal audit’s purpose within the organization Internal audit’s authority Internal audit’s responsibility Internal audit’s position within the organization The charter provides a blueprint for how internal audit will operate and allows the governing body to emphasize the value it places on the independence of the internal audit function. The charter establishes this independence by defining reporting lines from the Chief Audit Executive (CAE) to the governing body and, administratively, to executive management. @seanpizzie 12 www.techembro.com @techembro
- 13. Vital Components of an Audit Charter the IIA identified seven vital components that support the overall strength and effectiveness of the internal audit function and should be included in the internal audit charter: 1. Mission and Purpose The charter should define both the mission and the purpose of the internal audit function. The mission should be to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. Internal audit’s independent and objective assurance and consulting services should be designed to add value and improve the organization’s operations. @seanpizzie 13 www.techembro.com @techembro
- 14. Vital Components of an Audit Charter 2. Adherence to the International Standards for the Professional Practice of Internal Auditing The charter should include details about how the internal audit function governs itself and how it adheres to the IIA’s International Professional Practices Framework (IPPF), including: Standards Core principles for the professional practice of internal auditing Definition of internal auditing Code of ethics @seanpizzie 14 www.techembro.com @techembro
- 15. Vital Components of an Audit Charter 3. Authority The charter should define the CAE’s functional and administrative reporting relationship in the organization as noted above. In addition, a statement should be included affirming that the governing body will establish, maintain, and assure that the internal audit function has sufficient authority to fulfill its duties. @seanpizzie 15 www.techembro.com @techembro
- 16. Vital Components of an Audit Charter 4. Independence and Objectivity The charter should state that the CAE will ensure independence and objectivity of the internal audit function to carry out its duties in an unbiased manner. Furthermore, internal audit should have no direct operational responsibility or authority over any of the activities audited. @seanpizzie 16 www.techembro.com @techembro
- 17. Vital Components of an Audit Charter 5. Scope of Internal Audit Activities The charter should define the scope of the internal audit function. The scope should include providing independent assessments of the adequacy and effectiveness of governance, risk management, and control processes. @seanpizzie 17 www.techembro.com @techembro
- 18. Vital Components of an Audit Charter 6. Responsibility The responsibility of the internal audit function should also be described in the charter and the following should be performed at least annually: Verification that the internal audit function is fulfilling its mandate Assurance of compliance with IIA standards Communication of the results of its work and follow up of agreed corrective actions @seanpizzie 18 www.techembro.com @techembro
- 19. Vital Components of an Audit Charter 7. Quality Assurance and Improvement Program The charter should define the internal audit’s Quality Assurance and Improvement Program (QAIP), which covers all aspects of the internal audit function including: Evaluation of conformance to IIA Standards and requirement to report the results of its QAIP periodically to senior management and the governing body An external assessment of the activity at least once every five years @seanpizzie 19 www.techembro.com @techembro